I have vpn tunnel all traffic, but no internet - cannot ping anything

FrederikCisco · ‎01-04-2024

Hi,

I have vpn tunnel all traffic, but no internet - cannot ping anything, not even inside network. Working fine with splittunnel. We test with packet trace and it not work.

Need some help with NAT and ACL?

Thanks

Result of the command: "show running-config"

: Saved

:
: Serial Number:
: Hardware: FPR-1010, 7180 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.17(1)
!
hostname Router01
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
feature tier standard
names
no mac-address auto
ip local pool VPN_Pool 192.168.20.50-192.168.20.200 mask 255.255.255.0

!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan10
nameif guest
security-level 50
ip address 10.1.2.1 255.255.255.0
!
interface Vlan1003
nameif CD
security-level 60
ip address 10.10.4.1 255.255.255.0
!
interface Vlan1004
nameif ZZ
security-level 60
ip address 10.10.5.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
ip address WAN_HIDDEN 255.255.255.248
!
interface Ethernet1/2
switchport
switchport trunk allowed vlan 1,10,1003-1004
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
boot system disk0:/cisco-asa-fp1k.9.17.1.SPA
ftp mode passive
clock timezone Europe/Copenhagen
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network INSIDE_NETWORK
subnet 10.1.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.100.0_24
subnet 10.10.100.0 255.255.255.0
object network NETWORK_OBJ_10.1.1.0_24
subnet 10.1.1.0 255.255.255.0
object network RDS01
host 10.1.1.61
object service RDP
service tcp destination eq 3389
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network PRTG_WAN
host 85.27.130.67
object network PRTG_Server
host 10.1.1.26
object service HTTPS
service tcp destination eq https
object network VPN_Pool
subnet 192.168.20.0 255.255.255.0
object network VPN
subnet 192.168.20.0 255.255.255.0
object network WAN
host WAN_HIDDEN
object network SQL01
host 10.1.1.81
object service HTTP
service tcp destination eq www
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list outside_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.10.100.0 255.255.255.0
access-list outside_access_in extended permit object RDP any object RDS01
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object SQL01 object-group DM_INLINE_TCP_1
access-list KIT standard permit 10.1.1.0 255.255.255.0
access-list Test standard permit 192.168.1.0 255.255.255.0
access-list VPN_CLIENTS_OUT extended permit ip object VPN any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging asdm informational
mtu inside 1500
mtu guest 1500
mtu CD 1500
mtu ZZ 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-openjre-7171-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 destination static NETWORK_OBJ_10.10.100.0_24 NETWORK_OBJ_10.10.100.0_24 no-proxy-arp route-lookup
nat (outside,inside) source static any any destination static interface RDS01 service RDP RDP unidirectional no-proxy-arp
nat (any,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (inside,inside) source dynamic INSIDE_NETWORK interface destination static WAN RDS01 service RDP RDP
nat (any,inside) source static any any destination static WANIP_1 SQL01 service HTTP HTTP unidirectional no-proxy-arp
nat (any,inside) source static any any destination static WANIP_1 SQL01 service HTTPS HTTPS unidirectional no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 85.27.130.65 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 37.128.215.108
crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=vpn.KIT.dk,O=KIT,C=DK
crl configure
crypto ca trustpoint AzureAD-AC-SAML
enrollment terminal
no ca-check
crl configure
crypto ca trustpoint vpn.KIT.dk
enrollment terminal
fqdn vpn.KIT.dk
subject-name CN=vpn.KIT.dk,OU=HQ,O=Kortermann IT
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpoint AzureAD-AC-SAML-new
enrollment terminal
no validation-usage
no ca-check
crl configure
crypto ca trustpool policy
auto-import

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh key-exchange hostkey rsa
ssh 10.1.1.0 255.255.255.0 inside
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.40-10.1.1.190 inside
dhcpd dns 10.1.1.17 8.8.8.8 interface inside
dhcpd enable inside
dhcpd reserve-address 10.1.1.61 0015.5d1e.2909 inside
dhcpd reserve-address 10.1.1.81 0015.5d1e.2903 inside
!
dhcpd address 10.1.2.10-10.1.2.252 guest
dhcpd dns 1.1.1.1 8.8.8.8 interface guest
dhcpd enable guest
!
dhcpd address 10.10.4.100-10.10.4.150 CD
dhcpd dns 1.1.1.1 8.8.8.8 interface CD
dhcpd enable CD
!
dhcpd address 10.10.5.100-10.10.5.150 ZZ
dhcpd dns 1.1.1.1 8.8.8.8 interface ZZ
dhcpd enable ZZ
!
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.36.143.130 source outside prefer
ssl trust-point vpn.KIT.dk inside
ssl trust-point vpn.KIT.dk outside
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.10.05085-webdeploy-k9.pkg 1
anyconnect profiles VPN_KIT_client_profile disk0:/VPN_KIT_client_profile.xml
anyconnect enable
saml idp https://sts.windows.net/3d184bea-bc1b-486d-a9de-e10f812f93aa/
url sign-in https://login.microsoftonline.com/3d184bea-bc1b-486d-a9de-e10f812f93aa/saml2
url sign-out https://login.microsoftonline.com/3d184bea-bc1b-486d-a9de-e10f812f93aa/saml2
base-url https://vpn.KIT.dk
trustpoint idp AzureAD-AC-SAML-new
trustpoint sp vpn.KIT.dk
no signature
no force re-authentication
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_37.128.215.108 internal
group-policy GroupPolicy_37.128.215.108 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_VPN_KIT internal
group-policy GroupPolicy_VPN_KIT attributes
wins-server none
dns-server value 10.1.1.17 1.1.1.1
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value KIT
default-domain none
split-tunnel-all-dns disable
webvpn
anyconnect profiles value VPN_KIT_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
tunnel-group 37.128.215.108 type ipsec-l2l
tunnel-group 37.128.215.108 general-attributes
default-group-policy GroupPolicy_37.128.215.108
tunnel-group 37.128.215.108 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group VPN_KIT type remote-access
tunnel-group VPN_KIT general-attributes
address-pool VPN_Pool
default-group-policy GroupPolicy_VPN_KIT
tunnel-group VPN_KIT webvpn-attributes
authentication saml
group-alias VPN_KIT enable
saml identity-provider https://sts.windows.net/3d184bea-bc1b-486d-a9de-e10f812f93aa/
saml idp-trustpoint AzureAD-AC-SAML-new
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect netbios
inspect tftp
inspect ip-options
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:61477f8dc4c2c9fd827d6164d85a7b36
: end

MHM Cisco World · ‎01-04-2024

use traceroute for traffic between Anyconnect subnet and Inside
and between Anyconnect subnet and 8.8.8.8
share the result here
MHM

FrederikCisco · ‎01-05-2024

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.

Tracing route to 10.1.1.1 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 ^C

/Frederik

MHM Cisco World · ‎01-05-2024

test between VPN and INside LAN
packet-tracer input <Outside> tcp <any Unused IP from VPN Pool> 12345 <any IP of INside LAN, dont use interface IP> 12345 detail

test between VPN and Public IP

packet-tracer input <Outside> tcp <any Unused IP from VPN Pool> 12345 8.8.8.8 80 detail

share the result

MHM

FrederikCisco · ‎01-05-2024

Looks like an ACL blocking it.

Router01# packet-tracer input outside tcp 192.168.20.60 12345 10.1.1.9 12345 d$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 14415 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9b6a603000, priority=1, domain=permit, deny=false
hits=202149963, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 16740 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.1.1.9 using egress ifc inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 1395 ns
Config:
nat (any,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.1.1.9/12345 to 10.1.1.9/12345

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 6975 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9b6a73e380, priority=11, domain=permit, deny=true
hits=91872, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Time Taken: 39525 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005557d9c67817 flow (NA)/NA

and

Router01# packet-tracer input outside tcp 192.168.20.65 12345 8.8.8.8 80 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 17670 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9b6a603000, priority=1, domain=permit, deny=false
hits=202272659, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 19995 ns
Config:
Additional Information:
Found next-hop 85.27.130.65 using egress ifc outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 1395 ns
Config:
nat (any,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 8.8.8.8/80 to 8.8.8.8/80

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 6742 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9b6a73e380, priority=11, domain=permit, deny=true
hits=91915, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Time Taken: 45802 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005557d9c67817 flow (NA)/NA

Thanks

MHM Cisco World · ‎01-05-2024

show vpn dbsession anyconnect <- run anyconnect from any device to ASA and share this
MHM

FrederikCisco · ‎01-05-2024

Router01# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : hidden Index : 19
Assigned IP : 192.168.20.50 Public IP : 212.97.249.108
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 16946 Bytes Rx : 6888
Group Policy : GroupPolicy_VPN_KIT Tunnel Group : VPN_KIT
Login Time : 10:17:56 CET Fri Jan 5 2024
Duration : 0h:00m:06s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a010101000130006597c944
Security Grp : none

MHM Cisco World · ‎01-05-2024

dynamic-access-policy-record DfltAccessPolicy <<- remove this for troubleshooting, check packet-trace and share result here
MHM

FrederikCisco · ‎01-05-2024

I cannot remove it?

Router01(config)# no dynamic-access-policy-record DfltAccessPolicy
ERROR: dynamic-access-policy-record <DfltAccessPolicy> cannot be removed

MHM Cisco World · ‎01-05-2024

show version <<- how many anyconnect you have in your license

FrederikCisco · ‎01-05-2024

Cisco Adaptive Security Appliance Software Version 9.17(1)
SSP Operating System Version 2.11(1.154)
Device Manager Version 7.17(1)152

Compiled on Tue 30-Nov-21 18:38 GMT by builders
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.11.1.154.SPA"
Config file at boot was "startup-config"

Router01 up 7 days 14 hours
Start-up time 22 secs

Hardware: FPR-1010, 7180 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.11.0
Number of accelerators: 6

1: Int: Internal-Data0/0 : address is 00a0.c900.0000, irq 10
3: Int: Not licensed : irq 0
4: Ext: Management1/1 : address is 88fc.5d25.8301, irq 0
5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 60
Inside Hosts : Unlimited
Failover : Disabled
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 0
Carrier : Disabled
AnyConnect Premium Peers : 75
AnyConnect Essentials : Disabled
Other VPN Peers : 75
Total VPN Peers : 75
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 160
Cluster : Disabled

Serial Number:
Configuration register is 0x1
Configuration last modified by admin at 10:20:38.689 CET Fri Jan 5 2024

We are paying for 25 licenses

FrederikCisco · ‎01-05-2024

Config:
Implicit Rule

Seems like its the ‘implicit deny rule’?

But the thing I cannot find out, is what to allow in the ACL and where to do it?

/Frederik

MHM Cisco World · ‎01-05-2024

Yes I know
the implicit deny rule without the name of the ACL (as you see we use detail keyword) represent the system default that prevent the connection
so let check each point and if I am wrong correct me
the traffic from the OUT to IN LAN (10.1.1.0/24) which you specify in split tunnel standard ACL
you use no-NAT I know using the interface ANY and source ANY is not optimal but it work (you can add new no-NAT specify the IN as interface and specify subnet 10.1.1.0/24 as source)
there is ACL apply to OUT interface but this must not effect the Anyconnect VPN since you not use control-plane
we check the licences and it allow 75 so it prefect
last thing is SMAL I am not sure the effect but if you can add new anyconnect tunnel-group using local user and check if ASA allow traffic from this new tunnel group or not.

also can you elaborate
I have vpn tunnel all traffic, but no internet - cannot ping anything, not even inside network. Working fine with splittunnel.
how it work we test with packet trace and it not work.

MHM

FrederikCisco · ‎01-09-2024

I know using the interface ANY and source ANY is not optimal but it work (you can add new no-NAT specify the IN as interface and specify subnet 10.1.1.0/24 as source:
I will try, not using any in interface nat. What command exactly do I need to do?

I have elaborated it

Thanks

BlakeBratu · ‎01-07-2024

You are missing a dynamic hairpin for AnyConnect traffic to translate the source AnyConnect IP to the outside interface, and egress back out of the outside interface towards the internet. This solves one part of the problem that you're facing with internet traffic.

Within your NAT rules, you need to add the following: (Outside, Outside) Source (AnyConnect Pool) -> (Outside Interface) Destination any, any.

Keep this dynamic rule towards the bottom. That way, route-lookup will say that 8.8.8.8 for example is supposed to egress outside, you hit this specific NAT rule, and AnyConnect IP addresses are translated to the interface to traverse the internet.

For your outside-to-inside LAN traffic, tighten up the 'any' interface rules for your static and define more specific interfaces. For instance, your 8.8.8.8 packet-tracer will always route-lookup to head outside, but you're hitting this static NAT that is catching unneeded traffic:

- nat (any,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup

I recommend changing the 'any' source interface to a more specific interface at the very least. If you want to keep your NAT rules this way, then move the dynamic NAT rule I suggested towards the top of the list or else you are always going to UN-NAT to that static entry. Honestly, I would remove any trace of 'any' and more strictly define the source interface and the networks you are using for your NO-NAT statement to make things easier for analysis and troubleshooting.

Just for testing, create a new access list for Outside to Inside traffic that sources from VPN_Pool destined to your Inside network and applicable IP's (10.1.1.0) and throw it to the top of the list. Rerun, test, and let us know.