Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
0
Helpful
3
Replies

Remote access VPN

Go to solution
jthombs1016
Level 1
Level 1

‎04-03-2018 08:36 AM - edited ‎03-12-2019 05:09 AM

Hello all

 

I have  ASA 55.25 Firewall I and can connect to VPN without issue. The problem is that I cannot

browse the Internet or Ping the Internet.

I am trying to confogure all Internet traffic to go though the corporate network rather than split tunneling.

I think my configuration my be incorrect somewhere.

I have uploaded  my current config.

 

 

Labels:
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎04-03-2018 09:04 AM

it looks like you are not nating the anyconnect ips when they are trying to reach the internet, try:
object network VPN-Users
 nat (Internet-outside,Internet-outside) dynamic interface

 

also you would need to allow that traffic:
same-security-traffic permit intra-interface

 

also you may want to restrict the identity nat from:
nat (any,any) source static any any destination static VPN-Users VPN-Users no-proxy-arp
to something like:
nat (Internet-inside,Internet-outside) source static obj-inside obj-inside destination static VPN-Users VPN-Users route-lookup no-proxy-arp

 

config example:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

 

HTH

Bogdan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎04-03-2018 09:04 AM

it looks like you are not nating the anyconnect ips when they are trying to reach the internet, try:
object network VPN-Users
 nat (Internet-outside,Internet-outside) dynamic interface

 

also you would need to allow that traffic:
same-security-traffic permit intra-interface

 

also you may want to restrict the identity nat from:
nat (any,any) source static any any destination static VPN-Users VPN-Users no-proxy-arp
to something like:
nat (Internet-inside,Internet-outside) source static obj-inside obj-inside destination static VPN-Users VPN-Users route-lookup no-proxy-arp

 

config example:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

 

HTH

Bogdan

0 Helpful

Go to solution
jthombs1016
Level 1
Level 1
In response to Bogdan Nita

‎04-03-2018 11:35 AM

Thanks I will give it a try now.
0 Helpful

Go to solution
jthombs1016
Level 1
Level 1
In response to Bogdan Nita

‎04-07-2018 01:03 AM

Thanks added
nat (internet-outside,internet-outside)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents