cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
178
Views
0
Helpful
3
Replies
Highlighted
Beginner

Need help with ASA Anyconnect SSL VPN post 8.3

Hey!  I'm trying to set up our anyconnect ssl vpn on the Cisco ASA.  I'm able to connect and communicate with the internal LAN however I'm basically dead in the water when internet or outside connectivity is concerned.  During the wizard I checked the box to set up nat exempt so the vpn traffic would not traverse NAT.  I do not have split tunnel enabled so everything is going through the tunnel.  I'd like to set up split tunneling as well so that my internet traffic does not go through the tunnel.   It's been a long time since I've managed an ASA so I'm rusty.  Any help would be appreciated. 

Below is the configuration I've added to the ASA.

 ip local pool SVCSVCPOOL 172.16.1.0-172.16.1.254 mask 255.255.255.0
      object network NETWORK_OBJ_172.16.1.0_24
        subnet 172.16.1.0 255.255.255.0
    
      webvpn
        anyconnect profiles SVC_client_profile disk0:/SVC_client_profile.xml
      exit
      group-policy GroupPolicy_SVC internal
      group-policy GroupPolicy_SVC attributes
        vpn-tunnel-protocol ikev2 ssl-client
        webvpn
          anyconnect profiles value SVC_client_profile type user
      exit
      group-policy GroupPolicy_SVC attributes
        dns-server value 8.8.8.8 8.8.4.4
        wins-server none
        default-domain value SVCINC.NET
      exit
      tunnel-group SVC type remote-access
      tunnel-group SVC general-attributes
        default-group-policy GroupPolicy_SVC
        address-pool  SVCSVCPOOL
      tunnel-group SVC webvpn-attributes
        group-alias SVC enable
      nat (Inside,outside) 1 source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup

Everyone's tags (5)
3 REPLIES 3
Beginner

Hello,

Hello,

For split tunnel you need to configure a standard ACL and list the networks that you want to reach over the tunnel.

access-list split standard permit x.x.x.x netmask

now in the group policy you need to configure the split tunnel policy and enter the ACL that you configured

group-policy GroupPolicy_SVC attributes

split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

You can follow this documentation for the configuration using ASDM "step 4":

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html

Regards, Please rate!

Highlighted
Beginner

Diego,

Diego,

Thank you for the response.  I was able to get the split tunneling in place and that has left me with only one other issue.  When trying to get to a server behind the ASA on the 10.10.10.0 network I still see it failing with the following in the log. 

"Asymmetric NAT rules matched for forward and reverse flows; denied due to NAT reverse path failure."  

If you or anyone else can help me determine why I'm having this issue I would appreciate it.  

Thank you.

Highlighted
Beginner

Hello,

Hello,

You can try configuring a nat exemption for that traffic need to create 2 objects

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

object network anyconnect_pool

subnet 172.16.1.0 255.255.255.0

nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static anyconnect_pool anyconnect_pool no-proxy-arp route-lookup