Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
0
Helpful
9
Replies

Cisco ASA 5506W VPN Clients not seeing local network

Go to solution
D Blum
Level 1
Level 1

‎02-03-2016 05:41 AM

VPN Client connects and gets proper IP address, but cannot ping local servers or access local resources


Cisco AnyConnect Secure Mobility Client 4.2.01035
(Wed Feb 03 06:28:51 2016)

Connection Information
State: Connected
Tunnel Mode (IPv4): Split Exclude
Tunnel Mode (IPv6): Drop All Traffic
Duration: 00:05:04


Address Information
Client (IPv4): 192.168.1.101
Client (IPv6): Not Available
Server: x.x.x.x

Client Management
Administrative Domain: Undefined
Profile Name: xxx.xml


Feature Configuration
Trusted Network Detection: Disabled


Route Details

Non-Secured Routes (IPv4)
192.168.0.0/24


Secured Routes (IPv4)
0.0.0.0/0

Relevant Config

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN
subnet 192.168.1.0 255.255.255.0
object network DMZ1
range 192.168.0.100 192.168.0.101
object network DMZ2
range 192.168.0.35 192.168.0.36

object network pb_any
subnet 192.168.0.0 255.255.0.0
object network pb_inside
subnet 192.168.0.0 255.255.255.0
object network Inside_Subnet
subnet 192.168.0.0 255.255.0.0
object-group network nonat
network-object 192.168.0.0 255.255.0.0

access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list traffic extended permit ip 192.168.0.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0

no arp permit-nonconnected
nat (any,any) source static DMZ2 DMZ2
nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp
nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN
nat (any,any) source static DMZ2 DMZ2 destination static VPN VPN
nat (any,any) source static DMZ1 DMZ1
nat (inside,outside) source static pb_inside pb_inside destination static VPN VPN
!
object network obj_any
nat (any,outside) dynamic interface
object network pb_inside
nat (outside,outside) dynamic interface

Any thoughts?  Users are connecting via LDAP.  Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Boris Uskov
Level 4
Level 4
In response to D Blum

‎02-04-2016 06:12 AM

No, I thought, that you want to tunnel all your traffic and use ASA's ISP. I thought so because of the following NAT statement:

nat (any,outside) source dynamic VPN interface description VPN Access to Internet

Anyway, to implement your task, you should use another Split tunnel policy - tunnelspecified.

Please, try to make the following change:

no access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
group-policy GroupPolicy_VPN attributes
 no  split-tunnel-policy excludespecified
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

This may help. 

Also, what IP pool do you use for VPN Clients?

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Boris Uskov
Level 4
Level 4

‎02-04-2016 03:27 AM

Hello!

I think the issue may be with incorrect Split tunnel policy. Try the following configuration inside VPN Group-policy:

split-tunnel-policy tunnelall
0 Helpful

Go to solution
D Blum
Level 1
Level 1
In response to Boris Uskov

‎02-04-2016 05:51 AM

Here is my group policy

Group-policy NoAccess internal
group-policy NoAccess attributes
  vpn-simultaneous-logins 0
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  address-pools none
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
  wins-server none
  dns-server value 192.168.0.10 
  vpn-tunnel-protocol ikev2 ssl-client
  split-tunnel-policy excludespecified
  split-tunnel-network-list value internal_traffic
  webvpn
    anyconnect profiles value VPN type user

dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record AV_Check
dynamic-access-policy-record OS_Check

---------------

So you are recommending change it to:

group-policy GroupPolicy_VPN attributes
  wins-server none
  dns-server value 192.168.0.10 
  vpn-tunnel-protocol ikev2 ssl-client 
  split-tunnel-policy tunnelall
  

Please note we only want network traffic to use vpn and if user is just surfing the internet to use their own internet access to reduce network traffic.  thank you

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to D Blum

‎02-04-2016 06:12 AM

No, I thought, that you want to tunnel all your traffic and use ASA's ISP. I thought so because of the following NAT statement:

nat (any,outside) source dynamic VPN interface description VPN Access to Internet

Anyway, to implement your task, you should use another Split tunnel policy - tunnelspecified.

Please, try to make the following change:

no access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
group-policy GroupPolicy_VPN attributes
 no  split-tunnel-policy excludespecified
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

This may help. 

Also, what IP pool do you use for VPN Clients?

0 Helpful

Go to solution
D Blum
Level 1
Level 1
In response to Boris Uskov

‎02-04-2016 06:29 AM

Thank you for the info, here is the local ip pool

ip local pool VPN_Pool 192.168.1.101-192.168.1.240 mask 255.255.255.0

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to D Blum

‎02-04-2016 06:39 AM

Ok, no problem, I'll be glad, if my advices helps.

Also, do you have inside network with the same IP-subnet as VPN_Pool? I mean, 192.168.1.0/24?

The problem is, that you may experience some connectivity issues due to NAT statement:

nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp

"no-proxy-arp" keyword can play the role in this case.

I really advise you to use VPN_Pool subnet, which is completely different from your inside subnets. For example 172.16.1.0/24 for VPN_Pool.

If you change your VPN pool I also advice you to add "no-proxy-arp" and "route-lookup" keywords to all of your NAT exception rules.

0 Helpful

Go to solution
D Blum
Level 1
Level 1
In response to Boris Uskov

‎02-04-2016 06:55 AM

internal subnet is 192.168.0.0/24

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to D Blum

‎02-04-2016 07:11 AM

Ok, so just try with Split tunnel policy "tunnelspecified", and the configuration, I posted above.

Hope this helps.

0 Helpful

Go to solution
D Blum
Level 1
Level 1
In response to Boris Uskov

‎02-04-2016 09:13 AM

That worked, employees have network access.  Thank you

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to D Blum

‎02-04-2016 10:53 PM

Great news! Mark the question as answered, please.

0 Helpful
Customers Also Viewed These Support Documents