Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1500
Views
0
Helpful
8
Replies

Cisco ASA 5508-X - Issue with Split-tunnel

Go to solution
steve32881
Level 1
Level 1

‎01-23-2021 02:18 AM - edited ‎01-23-2021 02:55 AM

Hi, I have a problem with my AnyConnect Split-tunnel configuration.  When connected I am able to ping or reach internal subnets which have been specified in the split-tunnel ACL but I can't ping nor reach any public sites that I want to be reached through the VPN.

 

When checking my routing table, I can see that the route to that site that I added to the split-tunnel ACL is there but when trying to reach it or ping it nothing works.

I am able to do so if I remove that site from the ACL, but that means that traffic is going out from my normal home connection.

 

The issue is not just a DNS problem as I can't even ping the domain.  Any help will be much appreciated!  Thanks =]

Also if someone can explain to me why the hitcount on the split-tunnel ACLs remain 0 would be great. 

Labels:
_clean_conf.txt
Preview file
10 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-23-2021 03:42 AM

@steve32881 

If you are tunneling the traffic through the VPN and out to the internet, you'll need a NAT rule, for the anyconnect network e.g.

 

object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.10.0 255.255.255.0
 nat (outside,outside) dynamic interface

HTH

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-23-2021 02:28 AM

Are you not able to reach the external site? is this DNS resolution ok?

 

can you post-show run to look at the config?

 

or look below example guide to give you the right direction :

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

https://www.petenetlive.com/KB/Article/0001239

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
steve32881
Level 1
Level 1
In response to balaji.bandi

‎01-23-2021 02:47 AM

Hi, thanks for the quick reply.  I did attach the config with the original post.

As for your question, when connected with the VPN, DNS resolution seems to work but can't access the site nor ping it.

0 Helpful

Go to solution
steve32881
Level 1
Level 1
In response to steve32881

‎01-23-2021 03:38 AM

Any idea why this is happening?  thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-23-2021 03:42 AM

@steve32881 

If you are tunneling the traffic through the VPN and out to the internet, you'll need a NAT rule, for the anyconnect network e.g.

 

object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.10.0 255.255.255.0
 nat (outside,outside) dynamic interface

HTH

0 Helpful

Go to solution
steve32881
Level 1
Level 1
In response to Rob Ingram

‎01-23-2021 03:44 AM

Thanks Rob I'll try that out and let you know.

0 Helpful

Go to solution
steve32881
Level 1
Level 1
In response to Rob Ingram

‎01-23-2021 07:23 AM

Hey Rob,  that was spot on mate thank you very much!  Issue fixed =]

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-23-2021 05:52 AM - edited ‎01-23-2021 07:25 AM

...

0 Helpful

Go to solution
steve32881
Level 1
Level 1
In response to MHM Cisco World

‎01-23-2021 07:25 AM

Hey thanks for the feedback!

 

nat (outside,outside) source dynamic OBJ-ANYCONNECT-SUBNET SNAT-IP-XXX destination static XXX-REMOTE XXX-REMOTE

 

This rule I use it so that my anyconnect users can reach a subnet which sits behind an IPSec site-to-site tunnel.  That remote location required that they always see the same IP coming towards them so the above is a SNAT rule with that object being the IP that they want to see coming towards them.

 

Hope thats clear =]

0 Helpful
Customers Also Viewed These Support Documents
Top