11-28-2011 07:39 AM - edited 02-21-2020 05:44 PM
I have AnyConnect configured with ASA 8.3 and I'm able to access everything on the internal LAN just fine. However, I cannot connect to the Internet while I'm connected to AnyConnect. I've tried different DNS servers in the AnyConnect profile, different Split Tunnel settings. I just can't seem to figure out the Internet issue. And the strange thing is I can't resolve any Internet addresses either through the AnyConnect connection. When I try pinging www.msn.com it just says that it can't find the host www.msn.com. Can someone please assist with this issue?
Thank you,
Corey
Solved! Go to Solution.
11-29-2011 11:09 AM
Along with that command ,looking at the config i feel need to add this as well after removing split tunnel configuration.
object network AnyConnect-INET
subnet 192.168.253.0 255.255.255.0
nat (outside,outside) source dynamic AnyConnect-INET interface
Thanks
Ajay
11-28-2011 10:28 AM
So, a little more information. It looks like is has something to do with the gateway address on the client machine. The subnet I'm using for the VPN pool is 192.168.253.0/24. When the client connects, it gets an address of 192.168.253.10 and the gateway address is 192.168.253.1. Where is that gateway address coming from?? It's not an interface on the ASA, nor is it identified anywhere that I can see. From my previous experiences, the gateway should be left blank on the VPN interface, so that the client machine will use the gateway from the physical interface. Any ideas??
11-29-2011 04:22 AM
Hi,
Gateway will be blank if it is configured for full tunnel ,incase split tunnel it will use gateway to pass internet traffic.
From where these VPN users are getting IP address if DHCP might be thats configured for default gateway 192.168.253.1.
You basically need to identify may be its just DNS issue try to ping few public IPs outside and see if the traffic is going out from local gateway. Also check the routing table on machine if windows show route print will do.
Just to add - are you using windows XP? otherwise also when we connect VPN interface is virtual interface having gateway does not mean anything there .
On windows XP this will be normal.
Thanks
Ajay
11-29-2011 10:32 AM
The VPN users are getting an address from the IP pool on the ASA. I'm not using a DHCP server. So, I'm still uncertain where the 192.168.253.1 address is coming from.
I was able to access the Internet with Split Tunneling by adding the following access list to the VPN policy for Split Tunnel:
access-list splittunnel_acl extended permit ip 192.168.168.0 255.255.255.0 192.168.253.0 255.255.255.0
192.168.168.0 = Internal LAN
192.168.253.0 = VPN Subnet
Now, this is just a temporary work around. I would like to access the Internet through the tunnel. Can someone please let me know what I need to do for full tunnel Internet access? Here's my running-config.
*****************************************************
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name WSO
enable password ***** encrypted
passwd ***** encrypted
no names
name 192.168.168.172 Citrix
name 192.168.168.223 IPCard-Phone
name 192.168.168.190 CFTest-NATest
name 66.6.216.62 Ext-MAIL
name 66.6.216.59 Ext-IPCard-Phone
name 66.6.216.54 Ext-CF-NATest
name 66.6.216.53 Ext-CFWeb
name 66.6.216.52 Ext-citrix
name 66.6.216.0 Ext-Tierzero
name 192.168.168.180 Matrix
name 66.6.216.60 Ext-Matrix
name 192.168.168.188 SQL-SERVER
name 66.6.216.58 Ext-sql-server
name 192.168.168.171 DATA
name 192.168.168.177 WSO-FTP
name 192.168.168.240 Main_Webserver
name 66.6.216.40 Ext_Main_web
name 66.6.216.61 ext-WSO-FTP
name 192.168.168.176 NAMAIL
name 192.168.168.211 development
name 192.168.168.163 test-server
name 192.168.168.226 sec-server
name 192.168.168.238 dc-new
name 66.6.216.42 EXT-development
name 66.6.216.45 Ext-JFT
name 192.168.168.189 JFT
name 66.6.216.56 Ext-Cart
name 192.168.168.210 CART
name 192.168.168.251 Raritan description KVM Switch
name 192.168.168.249 Disc description Discussion/FTP Server
name 192.168.168.178 PORTALTOOLS
name 192.168.168.231 Q-Commerce
name 192.168.168.185 Meeting
name 66.6.216.47 Ext-Disc
name 66.6.216.44 Ext-Meeting
name 66.6.216.41 Ext-Q-Commerce
name 66.6.216.49 Ext-Raritan
name 66.6.216.39 Ext-Web
name 192.168.168.252 WEB
name 66.6.216.43 Ext-Sharepoint description External Sharepoint
name 192.168.168.191 Sharepoint description Sharepoint
name 66.6.216.46 EXT-VPN description ext-vpn
name 192.168.168.234 VPN description Small VPN Server
name 66.6.216.50 EXT-VM1
name 192.168.168.233 VM1
name 66.6.216.48 Ext-BES
name 192.168.168.250 SPECTOR description Test Blackberry Server
name 192.168.168.164 CONFIG description Config/NetFlow Server
name 66.6.216.38 EXT-Media description External Media
name 192.168.168.209 Media description Media Server
name 192.168.168.165 INTRANET-SHAREPOINT description Intranet-sharepoint server
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.6.216.34 255.255.255.224 standby 66.6.216.35
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 192.168.168.168 255.255.255.0 standby 192.168.168.169
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
description STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name WSO
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Citrix-01
host 192.168.168.172
object network NAMAIL
host 192.168.168.176
object network PORTALTOOLS
host 192.168.168.178
object network SQL-SERVER
host 192.168.168.188
object network WSO-FTP
host 192.168.168.177
object network CART
host 192.168.168.210
object network Matrix
host 192.168.168.180
object network data-new
host 192.168.168.253
object network development
host 192.168.168.211
object network IPCard-Phone
host 192.168.168.223
object network Raritan
host 192.168.168.251
object network Disc
host 192.168.168.249
object network SPECTOR
host 192.168.168.250
object network Q-Commerce
host 192.168.168.231
object network WEB
host 192.168.168.252
object network Sharepoint
host 192.168.168.247
object network VPN-01
host 192.168.168.244
object network VM1
host 192.168.168.233
object network Web-new
host 192.168.168.184
object network Macstation
host 192.168.168.19
description Anthony
object network ext-search
host 66.6.216.43
description Search for sharepoint
object network obj-192.168.168.224
subnet 192.168.168.224 255.255.255.248
object network obj-192.168.168.173
host 192.168.168.173
object network obj-192.168.168.187
host 192.168.168.187
object network Ext-citrix
host 66.6.216.52
object network Ext-CFWeb
host 66.6.216.53
object network ext-WSO-FTP
host 66.6.216.61
object network Ext-Cart
host 66.6.216.56
object network Ext-Matrix
host 66.6.216.60
object network Ext-sql-server
host 66.6.216.58
object network Ext_Main_web
host 66.6.216.40
object network Ext-MAIL
host 66.6.216.62
object network EXT-development
host 66.6.216.42
object network Ext-IPCard-Phone
host 66.6.216.59
object network Ext-Raritan
host 66.6.216.49
object network Ext-Disc
host 66.6.216.47
object network Ext-BES
host 66.6.216.48
object network Ext-Q-Commerce
host 66.6.216.41
object network Ext-Web
host 66.6.216.39
object network Ext-Sharepoint
host 66.6.216.43
object network EXT-VPN
host 66.6.216.46
object network EXT-VM1
host 66.6.216.50
object network Ext-Web-new
host 66.6.216.55
object network Ext-media
host 66.6.216.38
description Created during name migration
object network Ext-web2
host 66.6.216.51
description Created during name migration
object network Ext-web-backup
host 66.6.216.37
object network sec-server
host 192.168.168.226
object network search.sharepoint.na.org
host 192.168.168.247
description Search site
object network Symform
host 192.168.168.232
description Symform Server
object network Web-Backup
host 192.168.168.248
object network FTP-Test
host 192.168.168.243
object network AnyConnect
object service Symform3
service tcp destination eq 26451
object network VPN-2
object network VPN1
host 192.168.168.140
object network VPN2
host 192.168.168.141
object network VPN3
host 192.168.168.142
object network VPN4
host 192.168.168.143
object network LOCAL_LAN
subnet 192.168.168.0 255.255.255.0
object network VPN_LAN
subnet 192.168.253.0 255.255.255.0
object network AnyConnect-INET
subnet 192.168.253.0 255.255.255.0
object-group service Citrix tcp
port-object eq citrix-ica
port-object eq www
object-group service Remotevideo-8016 tcp
port-object range 8016 8016
object-group service Remotevideo-10019 tcp
port-object range 10019 10019
object-group service Citrix-ICA udp
port-object eq 1604
object-group service CFWEB tcp
port-object range 3389 3389
port-object eq https
port-object eq www
port-object range www 81
port-object eq ftp
object-group service WebServicess tcp
port-object eq citrix-ica
port-object range 3389 3389
port-object eq www
port-object eq https
port-object eq whois
port-object eq imap4
port-object eq rsh
port-object eq kerberos
port-object eq pcanywhere-data
port-object eq echo
port-object eq domain
port-object range citrix-ica citrix-ica
port-object range 8080 8080
group-object CFWEB
port-object eq ssh
port-object eq ftp-data
port-object eq ftp
port-object range 8443 8443
object-group service TCP-Group tcp
port-object eq netbios-ssn
port-object eq pop3
port-object eq https
port-object eq citrix-ica
port-object eq telnet
port-object eq hostname
port-object eq smtp
port-object eq login
port-object eq ssh
port-object eq whois
port-object eq imap4
port-object eq rsh
port-object eq www
port-object eq kerberos
port-object eq pcanywhere-data
port-object eq echo
port-object eq domain
port-object range citrix-ica citrix-ica
port-object range 3389 3389
object-group service Cart-MAS200 tcp
port-object range 3389 3389
port-object eq https
port-object eq www
port-object range 81 81
object-group service WSO-APPS tcp-udp
port-object range 21 22
port-object range 5631 5632
port-object eq domain
object-group service MAIL tcp
port-object eq domain
port-object eq www
port-object range 3389 3389
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq https
port-object eq citrix-ica
port-object eq hostname
port-object eq ldap
group-object WebServicess
group-object TCP-Group
port-object eq aol
port-object eq uucp
port-object eq login
port-object eq whois
port-object eq chargen
port-object eq exec
port-object eq rsh
port-object eq kerberos
port-object eq echo
port-object eq ldaps
port-object eq daytime
group-object Cart-MAS200
group-object WSO-APPS
port-object eq ssh
object-group service MatrixVideo tcp-udp
port-object range 8016 8016
port-object range 10119 10119
object-group service CFTEST tcp
port-object eq https
port-object range 3389 3389
port-object eq www
object-group service IP-Phone tcp-udp
port-object range 5004 5005
port-object range 2427 2427
port-object range 23 23
port-object range www www
port-object range 5567 5567
port-object range 5566 5566
object-group service Wireless udp
port-object eq secureid-udp
port-object eq pim-auto-rp
port-object eq radius
port-object eq radius-acct
port-object eq snmp
port-object eq echo
object-group service pcanywhere tcp-udp
port-object range 5631 5632
object-group service UDP-Group udp
port-object eq radius
port-object eq radius-acct
port-object eq pcanywhere-status
port-object eq kerberos
port-object eq domain
port-object eq time
port-object eq 1604
port-object eq ntp
object-group service PCAnywhere tcp-udp
port-object range 5632 5632
port-object range 5631 5631
object-group service IncomingThreat1 tcp
port-object range 8000 8000
object-group service Filemaker tcp
port-object eq www
port-object eq https
port-object eq nntp
port-object eq hostname
port-object eq pcanywhere-data
port-object eq ftp
object-group service VPN-SGL tcp
port-object eq telnet
port-object eq hostname
port-object eq www
port-object eq pptp
group-object TCP-Group
port-object eq login
object-group service CITRIX tcp
port-object eq citrix-ica
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPN tcp-udp
port-object eq 500
port-object eq 1701
port-object eq 1723
port-object eq 5500
object-group service DM_INLINE_TCP_0 tcp
group-object TCP-Group
group-object WebServicess
object-group service Web-simple tcp
port-object eq ftp
port-object eq www
object-group service RDP tcp
port-object eq 3389
port-object eq 3283
object-group service Symform-port tcp
port-object eq 26451
object-group service FTP tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_1 tcp
group-object VPN
group-object WebServicess
object-group service Symform2 tcp
port-object eq 26451
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark SQL Server in
access-list outside_access_in extended permit tcp any any eq 8200
access-list outside_access_in extended permit tcp any object Citrix-01 object-group WebServicess
access-list outside_access_in extended permit udp any object IPCard-Phone object-group IP-Phone
access-list outside_access_in extended permit tcp any object Matrix object-group PCAnywhere
access-list outside_access_in extended permit tcp any object Matrix object-group Remotevideo-8016
access-list outside_access_in extended permit tcp any object CART object-group WebServicess
access-list outside_access_in extended permit tcp any object data-new object-group WebServicess
access-list outside_access_in extended permit tcp any object WSO-FTP object-group WebServicess
access-list outside_access_in extended permit tcp any object NAMAIL object-group MAIL
access-list outside_access_in extended permit tcp any object development object-group WebServicess
access-list outside_access_in extended permit tcp any object SQL-SERVER object-group WebServicess
access-list outside_access_in extended permit tcp any object Raritan object-group WebServicess
access-list outside_access_in extended permit tcp any object Disc object-group WebServicess
access-list outside_access_in extended permit tcp any object SPECTOR object-group WebServicess
access-list outside_access_in extended permit tcp any object PORTALTOOLS object-group WebServicess
access-list outside_access_in extended permit tcp any object VPN-01 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object WEB object-group WebServicess
access-list outside_access_in extended permit tcp any object Sharepoint object-group WebServicess
access-list outside_access_in extended permit tcp any object Symform eq 26451
access-list outside_access_in extended permit tcp any object VM1 object-group WebServicess
access-list outside_access_in extended permit tcp any object Web-Backup object-group WebServicess
access-list inside_outbound_nat0_acl extended permit ip host 192.168.168.173 192.168.168.224 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip host 192.168.168.187 192.168.168.224 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip object Citrix-01 192.168.168.224 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip object NAMAIL 192.168.168.224 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip object PORTALTOOLS 192.168.168.224 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip object SQL-SERVER 192.168.168.224 255.255.255.248
access-list acl-conn-param-tcp-01 extended permit tcp object IPCard-Phone any
access-list splittunnel_acl extended permit ip 192.168.168.0 255.255.255.0 192.168.253.0 255.255.255.0
pager lines 24
logging enable
logging buffered critical
logging trap informational
logging history critical
logging asdm informational
logging from-address admin@na.org
logging recipient-address stephan@na.org level critical
logging host inside 192.168.168.1 format emblem
logging host inside 192.168.168.244 format emblem
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.168.226 9996
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool NAWS-VPN 192.168.253.10-192.168.253.50 mask 255.255.255.0
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface failover Ethernet0/2
failover polltime interface 3 holdtime 15
failover key *****
failover link state Ethernet0/3
failover interface ip failover 192.168.99.1 255.255.255.0 standby 192.168.99.2
failover interface ip state 192.168.98.1 255.255.255.0 standby 192.168.98.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static Citrix-01 Citrix-01 destination static obj-192.168.168.224 obj-192.168.168.224
nat (inside,any) source static NAMAIL NAMAIL destination static obj-192.168.168.224 obj-192.168.168.224
nat (inside,any) source static PORTALTOOLS PORTALTOOLS destination static obj-192.168.168.224 obj-192.168.168.224
nat (inside,any) source static obj-192.168.168.173 obj-192.168.168.173 destination static obj-192.168.168.224 obj-192.168.168.224
nat (inside,any) source static obj-192.168.168.187 obj-192.168.168.187 destination static obj-192.168.168.224 obj-192.168.168.224
nat (inside,any) source static SQL-SERVER SQL-SERVER destination static obj-192.168.168.224 obj-192.168.168.224
nat (inside,outside) source static Web-Backup Ext-web-backup
nat (outside,inside) source static any any destination static interface Symform service Symform3 Symform3
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static VPN_LAN VPN_LAN
!
object network obj_any
nat (inside,outside) dynamic interface
object network Citrix-01
nat (inside,outside) static Ext-citrix
object network NAMAIL
nat (inside,outside) static Ext-MAIL
object network PORTALTOOLS
nat (inside,outside) static Ext-CFWeb
object network SQL-SERVER
nat (inside,outside) static Ext-sql-server
object network WSO-FTP
nat (inside,outside) static ext-WSO-FTP
object network CART
nat (inside,outside) static Ext-Cart
object network Matrix
nat (inside,outside) static Ext-Matrix
object network data-new
nat (inside,outside) static Ext_Main_web
object network development
nat (inside,outside) static EXT-development dns
object network IPCard-Phone
nat (inside,outside) static Ext-IPCard-Phone
object network Raritan
nat (inside,outside) static Ext-Raritan
object network Disc
nat (inside,outside) static Ext-Disc
object network SPECTOR
nat (inside,outside) static Ext-BES
object network Q-Commerce
nat (inside,outside) static Ext-Q-Commerce
object network WEB
nat (inside,outside) static Ext-Web
object network Sharepoint
nat (inside,outside) static Ext-Sharepoint
object network VPN-01
nat (inside,outside) static EXT-VPN
object network VM1
nat (inside,outside) static EXT-VM1
object network Web-new
nat (inside,outside) static Ext-Web-new
object network Macstation
nat (inside,outside) static Ext-web-backup
object network EXT-VPN
nat (any,any) static VPN-01
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.6.216.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.168.20 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.168.16 255.255.255.255 inside
snmp-server host inside 192.168.168.226 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt noproxyarp inside
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server inside 192.168.168.226 TFTP-Root
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy NAWS internal
group-policy NAWS attributes
wins-server value 192.168.168.235
dns-server value 192.168.168.254
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel_acl
username admin password ***** encrypted privilege 15
username stephan password ***** encrypted privilege 0
username stephan attributes
vpn-group-policy NAWS
username siamak password ***** encrypted
username siamak attributes
service-type remote-access
tunnel-group NAWS type remote-access
tunnel-group NAWS general-attributes
address-pool NAWS-VPN
default-group-policy NAWS
tunnel-group NAWS webvpn-attributes
group-alias NAWS enable
group-url https://66.6.216.34/NAWS enable
!
class-map global-class
description NetFlow
match default-inspection-traffic
class-map global-class1
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description NetFlow
class global-class
inspect ctiqbe
inspect dcerpc
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect waas
inspect xdmcp
policy-map global-policy
description NetFlow
class global-class1
flow-export event-type all destination 192.168.168.226
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global-policy global
smtp-server 192.168.168.176
prompt hostname context
Cryptochecksum:d571a9d49a83d5916a5845b38c019648
: end
*******************************************************
11-29-2011 10:49 AM
Corey
I believe that your problem is a basic behavior of the ASA. It does not want to forward traffic back out the interface on which it was received. So if you establish a VPN connection and your traffic comes in the outside interface then the ASA does not want to forward that traffic back out the outside interface. The solution is to use this command
same-security-traffic permit intra-interface
give it a try and let us know if it works better.
As far as the gateway address is concerned I believe that it is normal behavior for the VPN client to see its default gateway as the .1 for its subnet. I also see frequently clients that have their assigned address as the gateway address. And for remote access VPN other than split tunneling the default gateway does not make any real difference because the client is just going to forward the encrypted traffic over the tunnel to the peer.
HTH
Rick
11-29-2011 11:09 AM
Along with that command ,looking at the config i feel need to add this as well after removing split tunnel configuration.
object network AnyConnect-INET
subnet 192.168.253.0 255.255.255.0
nat (outside,outside) source dynamic AnyConnect-INET interface
Thanks
Ajay
11-29-2011 11:17 AM
Ajay
That was it!! Thanks!!
I knew it had to be a NAT issue. I'm still getting used to the new way things are done in 8.3 and later.
Thanks again!!
Corey
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide