Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
3
Replies

Need help with ASA Anyconnect SSL VPN post 8.3

klove01
Level 1
Level 1

‎01-27-2016 09:59 AM - edited ‎02-21-2020 08:38 PM

Hey!  I'm trying to set up our anyconnect ssl vpn on the Cisco ASA.  I'm able to connect and communicate with the internal LAN however I'm basically dead in the water when internet or outside connectivity is concerned.  During the wizard I checked the box to set up nat exempt so the vpn traffic would not traverse NAT.  I do not have split tunnel enabled so everything is going through the tunnel.  I'd like to set up split tunneling as well so that my internet traffic does not go through the tunnel.   It's been a long time since I've managed an ASA so I'm rusty.  Any help would be appreciated. 

Below is the configuration I've added to the ASA.

 ip local pool SVCSVCPOOL 172.16.1.0-172.16.1.254 mask 255.255.255.0
      object network NETWORK_OBJ_172.16.1.0_24
        subnet 172.16.1.0 255.255.255.0
    
      webvpn
        anyconnect profiles SVC_client_profile disk0:/SVC_client_profile.xml
      exit
      group-policy GroupPolicy_SVC internal
      group-policy GroupPolicy_SVC attributes
        vpn-tunnel-protocol ikev2 ssl-client
        webvpn
          anyconnect profiles value SVC_client_profile type user
      exit
      group-policy GroupPolicy_SVC attributes
        dns-server value 8.8.8.8 8.8.4.4
        wins-server none
        default-domain value SVCINC.NET
      exit
      tunnel-group SVC type remote-access
      tunnel-group SVC general-attributes
        default-group-policy GroupPolicy_SVC
        address-pool  SVCSVCPOOL
      tunnel-group SVC webvpn-attributes
        group-alias SVC enable
      nat (Inside,outside) 1 source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup

Labels:
0 Helpful
3 Replies 3

Diego Lopez
Level 1
Level 1

‎01-27-2016 11:02 AM

Hello,

For split tunnel you need to configure a standard ACL and list the networks that you want to reach over the tunnel.

access-list split standard permit x.x.x.x netmask

now in the group policy you need to configure the split tunnel policy and enter the ACL that you configured

group-policy GroupPolicy_SVC attributes

split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

You can follow this documentation for the configuration using ASDM "step 4":

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html

Regards, Please rate!

0 Helpful

klove01
Level 1
Level 1
In response to Diego Lopez

‎01-27-2016 11:58 AM

Diego,

Thank you for the response.  I was able to get the split tunneling in place and that has left me with only one other issue.  When trying to get to a server behind the ASA on the 10.10.10.0 network I still see it failing with the following in the log. 

"Asymmetric NAT rules matched for forward and reverse flows; denied due to NAT reverse path failure."  

If you or anyone else can help me determine why I'm having this issue I would appreciate it.  

Thank you.

0 Helpful

Diego Lopez
Level 1
Level 1
In response to klove01

‎01-27-2016 12:22 PM

Hello,

You can try configuring a nat exemption for that traffic need to create 2 objects

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

object network anyconnect_pool

subnet 172.16.1.0 255.255.255.0

nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static anyconnect_pool anyconnect_pool no-proxy-arp route-lookup

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents