10-17-2012 01:21 PM - edited 02-21-2020 06:25 PM
Currently my org is in the middle of moving from a ipsec vpn to a ssl vpn.
I have it setup where users can use the anyconnect client to get VPN access and they can access any internal servers or address but are not able to access the internet.
What would be the best solution toa apply to get users the fucntion to access external websites.
ip local pool SSL 10.x.x4.xx-10.x.x4.xx mask 255.255.255.0
Line 409: ip local pool SSL
10.x.x4.xx-10.x.x4.xx mask 255.255.255.0
Line 844: ssl trust-point ASDM_TrustPoint0 inside
Line 845: ssl trust-point ASDM_TrustPoint0 outside
Line 860: vpn-tunnel-protocol ssl-client ssl-clientless
Line 860: vpn-tunnel-protocol ssl-client ssl-clientless
Line 863: anyconnect ssl compression deflate
Line 874: vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
Line 874: vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
Line 917: vpn-tunnel-protocol ikev1 ssl-client
Line 1072: address-pool SSL
Line 1076: default-group-policy SSL_VPN
Line 1077: tunnel-group SSLVPN webvpn-attributes
Line 1079: group-alias SSLVPN enable
Solved! Go to Solution.
10-18-2012 04:16 AM
Hi,
did you also try split-tunneling?
Her a sample:
asa5505(config)# access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
asa5505(config)# group-policy SSLClientPolicy attributes
asa5505(config-group-policy)# split-tunnel-policy tunnelspecified
asa5505(config-group-policy)# split-tunnel-network-list value split-tunnel
asa5505(config-group-policy)# webvpn
asa5505(config-group-webvpn)# svc ask none default svc
asa5505(config-group-webvpn)# svc keep-installer installed
asa5505(config-group-webvpn)# svc rekey time 30
asa5505(config-group-webvpn)# svc rekey method ssl
BR
Hans-Juergen Guenter
10-17-2012 02:25 PM
Hello Porfirio,
You need to perform an Outside NAT and allow same-security traffic for intra-interface traffic and ofcourse tunnel all traffic.
Let me know if this answers your question or if you need something else
Regards,
Julio
10-17-2012 05:05 PM
Julio,
This is what is in place now.
The only thing i do not see configured is allow same-security traffic for intra-interface traffic
Currerntly we have users using ipsec vpn and is configured to user split-tunneling is this something that could also be used in this ssl vpn setup.
Line 428: nat (inside,outside) source static any any destination static obj-10.x.x4.0 obj-10.x.x4.0 no-proxy-arp route-lookup
Line 428: nat (inside,outside) source static any any destination static obj-10.x.x4.0 obj-10.x.x4.0 no-proxy-arp route-lookup
Sorry for all the questions. I was just given owner ship of all the ASA needs. So any help would be greatfull.
im thinkig all i need is in ths doc but not sure.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml
10-17-2012 07:01 PM
Hello Porfirio,
What about the Outside NAT??
You need to do those 2 thing ( same security and outside NAT)
Object network VPN_Anyconnect_pool
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) source dynamic VPN_Anyconnec_pool interface
same-security-traffic permit intra-interface
Regards
10-18-2012 04:16 AM
Hi,
did you also try split-tunneling?
Her a sample:
asa5505(config)# access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
asa5505(config)# group-policy SSLClientPolicy attributes
asa5505(config-group-policy)# split-tunnel-policy tunnelspecified
asa5505(config-group-policy)# split-tunnel-network-list value split-tunnel
asa5505(config-group-policy)# webvpn
asa5505(config-group-webvpn)# svc ask none default svc
asa5505(config-group-webvpn)# svc keep-installer installed
asa5505(config-group-webvpn)# svc rekey time 30
asa5505(config-group-webvpn)# svc rekey method ssl
BR
Hans-Juergen Guenter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide