Solved: I did not understand because

Alexander Makarov · ‎05-30-2015

Hello!

Decide to set up SSL - VPN users on Cisco ASA 5512-X (Cisco Adaptive Security Appliance Software Version 9.2(2), Device Manager Version 7.2(2)) (through Cisco AnyConnect).

I wrote this configuration file. After connecting the VPN I can only access local resources, and must also have access to the Internet.

I think the problem is in routing, but to me there is not prescribed, the problem is not solved.

Out of servers in the Internet using the following scheme

Srv -> Cisco 6509 -> Cisco ASA -> ISP

Between 6509 and ASA static routing

I want to direct traffic as indicated in the figure

Сonf file VPN

!Define a DHCP pool for the clients to use:
ip local pool vpnpool 192.168.211.1-192.168.211.254 mask 255.255.255.0

!Create and apply a nonat access list:
access-list nonat extended permit ip 0 0 192.168.211.0 255.255.255.0

object network vpnpool
subnet 192.168.211.0 255.255.255.0
!
nat (inside,outside) source static any any destination static vpnpool vpnpool

!Define the Group Policy for the WebVPN:
group-policy SUM_VPN_POLICY internal
group-policy SUM_VPN_POLICY attributes
vpn-tunnel-protocol svc webvpn
webvpn
split-tunnel-policy tunnelall
split-dns value ad.xxx.ru
dns-server value 192.168.31.18

!Define a local user to use for the VPN:
username VPN password xxxxxxxx privilege 0
username VPN attributes
vpn-group-policy SUM_VPN_POLICY

!Enable WebVPN:
webvpn
enable outside
svc image disk0:/anyconnect-win-3.1.04066-k9.pkg
svc enable

!Define the tunnel group:
Tunnel-group SUM_VPN_TUNNEL type remote-access
Tunnel-group SUM_VPN_TUNNEL general-attributes
default-group-policy SUM_VPN_POLICY
address-pool vpnpool

!Link the tunnel group to WebVPN:
webvpn
tunnel-group-list enable
exit
tunnel-group SUM_VPN_TUNNEL webvpn-attributes
group-alias AnyConnect enable

same-security-traffic permit intra-interface

------

route on Cisco ASA

route outside 0.0.0.0 0.0.0.0 x.x.19.1 1
route inside 10.0.0.0 255.0.0.0 192.168.99.60 1
route inside 12.0.0.0 255.0.0.0 192.168.99.60 1
route inside 172.0.0.0 255.0.0.0 192.168.99.60 1
route inside 192.168.0.0 255.255.0.0 192.168.99.60 1

route on Cisco 6509

ip route 0.0.0.0 0.0.0.0 192.168.99.61

IPv4 Route Table on Cisco AnyConnect

Network Destination	Netmask	Gateway	Interface	Metric
0.0.0.0	0.0.0.0	192.168.1.1	192.168.1.62	10
0.0.0.0	0.0.0.0	192.168.211.2	192.168.211.1	2
127.0.0.0	255.0.0.0	On-link	127.0.0.1	306
127.0.0.1	255.255.255.255	On-link	127.0.0.1	306
127.255.255.255	255.255.255.255	On-link	127.0.0.1	306
192.168.1.1	255.255.255.255	On-link	192.168.1.62	11
192.168.1.62	255.255.255.255	On-link	192.168.1.62	266
192.168.211.0	255.255.255.0	On-link	192.168.211.1	257
192.168.211.1	255.255.255.255	On-link	192.168.211.1	257
192.168.211.255	255.255.255.255	On-link	192.168.211.1	257
x.x.19.2 (IP Cisco ASA)	255.255.255.255	192.168.1.1	192.168.1.62	11
224.0.0.0	240.0.0.0	On-link	127.0.0.1	306
224.0.0.0	240.0.0.0	On-link	192.168.1.62	266
224.0.0.0	240.0.0.0	On-link	192.168.211.1	257
255.255.255.255	255.255.255.255	On-link	127.0.0.1	306
255.255.255.255	255.255.255.255	On-link	192.168.1.62	266
255.255.255.255	255.255.255.255	On-link	192.168.211.1	257

What do you recommend to resolve this problem?

slicerpro · ‎06-02-2015

It would help if you could copy/paste the results of your tests (obviously censoring any sensitive parts).

Also, is the DNS located on the inside , or outside? A little more detail on the topology please..

View solution in original post

Alexander Makarov · ‎05-31-2015

Traffic that is not in the tunnel out to the Internet

Abaji Rawool · ‎06-01-2015

Hi,

You need to add this

object network obj-vpnpool

subnet 192.168.211.0 255.255.255.0

nat (outside,outside) dynamic interface

!

same-security-traffic permit intra-interface

HTH

Abaji

Alexander Makarov · ‎06-01-2015

I added these commands, but access to the Internet is still there.

Applied the current configuration

ASA Version 9.2(2)
!
hostname ASA-5512
domain-name ad.xxx.ru
enable password qweqweqweqww encrypted
names
ip local pool vpnpool 192.168.211.1-192.168.211.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.yyy.19.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.99.61 255.255.255.0
!
time-range time
!
ftp mode passive
clock timezone EEST 2
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.31.18
name-server 192.168.31.48
domain-name ad.xxx.ru
same-security-traffic permit intra-interface
object network vpnpool
subnet 192.168.211.0 255.255.255.0

access-list outside_access_in extended permit ip any any log disable
access-list nonat extended permit ip any4 192.168.211.0 255.255.255.0

mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static vpnpool vpnpool
!
object network vpnpool
nat (outside,outside) dynamic interface

!
nat (inside,outside) after-auto source dynamic InsNet1 pat-pool NatPool1
nat (inside,outside) after-auto source dynamic DM_INLINE_NETWORK_1 pat-pool NewNATPool2
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.19.1 1
route inside 10.0.0.0 255.0.0.0 192.168.99.60 1
route inside 12.0.0.0 255.0.0.0 192.168.99.60 1
route inside 172.0.0.0 255.0.0.0 192.168.99.60 1
route inside 192.168.0.0 255.255.0.0 192.168.99.60 1

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy SUM_VPN_POLICY internal
group-policy SUM_VPN_POLICY attributes
dns-server value 192.168.31.18
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value nonat
split-dns value ad.xxx.ru
split-tunnel-all-dns enable
webvpn
customization value DfltCustomization
username admin password OF8H//rHMtPIAUvh encrypted privilege 15
username VPN password sfsdfsfsU6PmDDej encrypted privilege 0
username VPN attributes
vpn-group-policy SUM_VPN_POLICY
tunnel-group SUM_VPN_TUNNEL type remote-access
tunnel-group SUM_VPN_TUNNEL general-attributes
address-pool vpnpool
default-group-policy SUM_VPN_POLICY
tunnel-group SUM_VPN_TUNNEL webvpn-attributes
group-alias AnyConnect enable
!

Abaji Rawool · ‎06-01-2015

How are you testing the internet connectivity? could you test the connection with pings to direct ip to confirm this is not a DNS issue.

HTH

Abaji.

Alexander Makarov · ‎06-02-2015

I tested the performance of the following ways:
1) ping on the DNS or IP with different MTU
2) The opening of a site in a browser
3) As the availability of applications (Skype)
4) tracert to various resources

slicerpro · ‎06-02-2015

It would help if you could copy/paste the results of your tests (obviously censoring any sensitive parts).

Also, is the DNS located on the inside , or outside? A little more detail on the topology please..

Alexander Makarov · ‎06-10-2015

I did not understand because of what was the problem with access to the Internet.

Once changed to ASA5512X ASA5525X I copied the configuration from it and it worked (5512 was temporary)
The only thing I changed version of AnyConnect on 4.0.02052

Thank you all for your help

No access to the Internet through Cisco AnyConnect