Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
0
Helpful
3
Replies

No Internet Access On VPN

RandallC2
Level 1
Level 1

‎11-10-2021 06:40 PM - edited ‎11-10-2021 07:05 PM

I've setup SAML through Okta for our Cisco Anyconnect VPN and everything seems to be working perfectly fine aside from the fact that I'm getting "No Internet Access" when connected to the new tunnel group that I've created for this task.

 

I copied the general attributes from the tunnel group that we are currently using without SAML so I was expecting this connection to function the same.

 

Currently working tunnel attributes-

 

tunnel-group ANYCONNECT_TUNNEL type remote-access
tunnel-group ANYCONNECT_TUNNEL general-attributes
address-pool PURFOY-Anyconnect
authentication-server-group BBC-NPS
default-group-policy NoAccess
tunnel-group ANYCONNECT_TUNNEL webvpn-attributes
group-alias "BBC VPN East" enable

 

SAML Tunnel W/o Internet connection Attributes-

 

tunnel-group vpn-east_okta type remote-access
tunnel-group vpn-east_okta general-attributes
address-pool PURFOY-Anyconnect
authentication-server-group BBC-NPS
tunnel-group vpn-east_okta webvpn-attributes
authentication saml
group-alias vpn-east enable
saml identity-provider http://www.okta.com/'xxxxxxxxxxxxxxxxxxxxxxxxxx'

 

This appears to be a DNS issue as I can ping 8.8.8.8 with replies.

 

I can provide additional details if needed, but I'm pretty stuck here.

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎11-10-2021 11:59 PM

@RandallC2 I see no split tunnel configuration, so I assume all traffic is tunneled to the ASA and you wish to access the internet from there? Do you have a NAT rule for the AnyConnect IP pool "PURFOY-Anyconnect"? Do you have the command same-security-traffic permit intra-interface enabled to permit the traffic to hairpin?

0 Helpful

RandallC2
Level 1
Level 1
In response to Rob Ingram

‎11-11-2021 05:45 AM

Thank you for the quick reply @Rob Ingram. Please excuse my lack of networking knowledge but I'm extremely new to this and wondering if there is a way for me to check the configuration on the working tunnel for the specifications that you've asked for?

0 Helpful

Rob Ingram
VIP
VIP
In response to RandallC2

‎11-11-2021 06:09 AM

@RandallC2 connect to the ASA on the CLI and check the configuration, alternatively provide the full configuration here and we can have a look.

0 Helpful
Customers Also Viewed These Support Documents