cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
420
Views
0
Helpful
2
Replies

No internet using Anyconnect with tunnellall options

c.console
Level 1
Level 1

Hello everyone and thanks in advance for your support,
one of my clients asked me to reuse an ASA 5506 so as to be able to allow some users to connect remotely via Anyconnect.
However, the request requires the use of the tunnellall option for obvious security reasons.
I enabled U-Turn with same-security traffic permit intra-interface as the first step.
I then created a LAN object and a subnet object for the Anyconnect clients

object network VPN
subnet 192.168.50.0 255.255.255.0

object network LAN
subnet 10.0.1.0 255.255.255.0

The outside interface has an IP of 192.168.224.2 given that the connection comes from an operator router placed in DMZ towards the Cisco which has an inside IP of 10.0.1.10

I fixed the nat with:
nat (inside,outside) source static LAN LAN destination static VPN VPN

And with
object network VPN
subnet 192.168.50.0 255.255.255.0
nat (outside,outside) dynamic interface

Now...
Anyconnect clines connect correctly, receive the correct set of information (ip, mask, dns) and can access LAN resources but do not surf the internet.

Here the complete configuration (redacted):

: Serial Number: XXXXXXXX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname XXXXXXX
domain-name XXXXXXXX
enable password XXXXXXXX 
names
ip local pool SSL 192.168.50.2-192.168.50.27 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.244.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.1.10 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
security-level 99
no ip address
!
interface GigabitEthernet1/4
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/5
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa5500-firmware-1118.SPA
ftp mode passive
clock timezone GMT 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.1.13
name-server 10.0.1.11
name-server 1.1.1.1
domain-name XXXXXXXX
same-security-traffic permit inter-interface
object network lan
subnet 10.0.1.0 255.255.255.0
object network internet
subnet 0.0.0.0 0.0.0.0
object network VPN
subnet 192.168.50.0 255.255.255.0
object network LAN
subnet 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any echo-reply outside
icmp deny any outside
asdm image disk0:/asdm-7202.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static LAN LAN destination static VPN VPN
!
object network internet
nat (any,outside) dynamic interface
object network OBJ-VPN
nat (outside,outside) dynamic interface
object network OBJ-PUBLIC
nat (inside,outside) dynamic interface
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.244.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
ssh cipher encryption high
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd auto_config outside
dhcpd option 3 ip 172.16.0.1
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.239.35.0 source outside
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl ecdh-group group21
ssl trust-point ASDM_TrustPoint2 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client ssl-clientless
group-policy GroupPolicy internal
group-policy GroupPolicy attributes
webvpn
anyconnect modules value vpngina
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
dns-server value 10.0.1.11 10.0.1.13
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value asgard.ofc
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dns-server value 10.0.1.11
vpn-tunnel-protocol l2tp-ipsec
dynamic-access-policy-record DfltAccessPolicy
username USER password XXXXXXXXX pbkdf2 privilege 0
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool SSL
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
!
prompt hostname context
no call-home reporting anonymous

2 Replies 2

Pavan Gundu
Cisco Employee
Cisco Employee

Run a packet tracer on outside to any of the unused AnyConnect pool ip and 8.8.8.8 to see what are the phases the packet is going through, and check if your NAT exempt is being hit.

Couple of things I would suggest:

1) The network object "OBJ-VPN" does not seem to have AnyConnect pool referenced. You can either add AnyConnect pool to this object or add the dynamic NAT statement to the "VPN" object you shared that doesn't seem to exist in the complete config.

2) I would remove the network object "internet" as it wouldn't be needed.

3) Add "split-tunnel-all-dns enable" command under "GroupPolicy_ANYCONNECT-PROFILE" group policy.