01-27-2016 09:59 AM - edited 02-21-2020 08:38 PM
Hey! I'm trying to set up our anyconnect ssl vpn on the Cisco ASA. I'm able to connect and communicate with the internal LAN however I'm basically dead in the water when internet or outside connectivity is concerned. During the wizard I checked the box to set up nat exempt so the vpn traffic would not traverse NAT. I do not have split tunnel enabled so everything is going through the tunnel. I'd like to set up split tunneling as well so that my internet traffic does not go through the tunnel. It's been a long time since I've managed an ASA so I'm rusty. Any help would be appreciated.
Below is the configuration I've added to the ASA.
ip local pool SVCSVCPOOL 172.16.1.0-172.16.1.254 mask 255.255.255.0
object network NETWORK_OBJ_172.16.1.0_24
subnet 172.16.1.0 255.255.255.0
webvpn
anyconnect profiles SVC_client_profile disk0:/SVC_client_profile.xml
exit
group-policy GroupPolicy_SVC internal
group-policy GroupPolicy_SVC attributes
vpn-tunnel-protocol ikev2 ssl-client
webvpn
anyconnect profiles value SVC_client_profile type user
exit
group-policy GroupPolicy_SVC attributes
dns-server value 8.8.8.8 8.8.4.4
wins-server none
default-domain value SVCINC.NET
exit
tunnel-group SVC type remote-access
tunnel-group SVC general-attributes
default-group-policy GroupPolicy_SVC
address-pool SVCSVCPOOL
tunnel-group SVC webvpn-attributes
group-alias SVC enable
nat (Inside,outside) 1 source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
01-27-2016 11:02 AM
Hello,
For split tunnel you need to configure a standard ACL and list the networks that you want to reach over the tunnel.
access-list split standard permit x.x.x.x netmask
now in the group policy you need to configure the split tunnel policy and enter the ACL that you configured
group-policy GroupPolicy_SVC attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
You can follow this documentation for the configuration using ASDM "step 4":
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html
Regards, Please rate!
01-27-2016 11:58 AM
Diego,
Thank you for the response. I was able to get the split tunneling in place and that has left me with only one other issue. When trying to get to a server behind the ASA on the 10.10.10.0 network I still see it failing with the following in the log.
"Asymmetric NAT rules matched for forward and reverse flows; denied due to NAT reverse path failure."
If you or anyone else can help me determine why I'm having this issue I would appreciate it.
Thank you.
01-27-2016 12:22 PM
Hello,
You can try configuring a nat exemption for that traffic need to create 2 objects
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network anyconnect_pool
subnet 172.16.1.0 255.255.255.0
nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static anyconnect_pool anyconnect_pool no-proxy-arp route-lookup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide