Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1123
Views
0
Helpful
3
Replies

Strange issue..... AnyConnect VPN, when connect only allows WEB Access

Neil Cudmore
Level 1
Level 1

‎09-21-2016 01:51 AM - edited ‎02-21-2020 08:59 PM

So, never seen this before, it's the 'reverse' of most issues, where people normally can access internal systems but not the web. 

Here I have a AnyConnect (4.2.x) client connecting to an 5520 ASA on 9.1(6).  When connected the remote users can access the internet via the internal web proxy which has been configured, but can not ssh, remote desktop etc. etc. to any devices on the internal network.  IP address is correct and out of the VPN pool, only error I've seen on the console is about DHCP configured, no viable servers found for tunnel-group 'AnyConnect' yet the next line states IPAA:Client assigned .... from local pool; so all looks good otherwise.

Labels:
0 Helpful
3 Replies 3

JP Miranda Z
Cisco Employee
Cisco Employee

‎09-21-2016 07:14 PM

Hi Neil Cudmore,

Are you using split tunnel or tunnel all?

Can you attach the config of the AnyConnect including tunnel group, group policy and the nat for the internal traffic to the AnyConnect client?

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

Neil Cudmore
Level 1
Level 1
In response to JP Miranda Z

‎10-03-2016 01:50 AM

Hi, sorry was on holiday......

Anyhow here's the NAT, We have two ISPs CSS (outside) and Virgin (Virgin):

nat (inside,Virgin-line) source static local-nw local-nw destination static vpn-nw vpn-nw no-proxy-arp route-lookup
nat (inside,outside) source static local-nw local-nw destination static vpn-nw vpn-nw no-proxy-arp route-lookup
!
nat (inside,Virgin-line) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,Virgin-line) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group Virgin-line_access_in in interface Virgin-line
access-group outside_access_in in interface outside
!

and the VPN;-

webvpn
enable Virgin-line
enable outside
no anyconnect-essentials
csd image disk0:/csd_3.5.841-k9.pkg
anyconnect image disk0:/anyconnect-win-4.2.01022-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-4.2.01022-k9.pkg 2 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-64-4.2.01022-k9.pkg 3 regex "Linux"
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_vAnyConnect internal
group-policy GroupPolicy_vAnyConnect attributes
wins-server none
dns-server value 192.168.2.100
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value tabshq.com
webvpn
anyconnect ssl dtls enable
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect profiles value vAnyConnect_client_profile type user
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.2.100
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value tabshq.com
split-tunnel-all-dns enable
msie-proxy server value 192.168.2.120:8086
msie-proxy method use-server

webvpn
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect profiles value AnyConnect_client_profile type user
username userx password *********** encrypted
username userx attributes
service-type remote-access

tunnel-group vAnyConnect type remote-access
tunnel-group vAnyConnect general-attributes
address-pool VPN_POOL
accounting-server-group tacas
default-group-policy GroupPolicy_AnyConnect
tunnel-group vAnyConnect webvpn-attributes
group-alias vAnyConnect enable
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
secondary-authentication-server-group Duo-LDAP use-primary-username
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable

At present the Virgin isn't working because of issues with the Virgin router/modem.  In router mode we get 150mb connection, in modem mode which allows the VPN to work the connection drops to <20mb... Go figure.  So we could drop the Virgin config, but then we'd have a single point of failure.

0 Helpful

Neil Cudmore
Level 1
Level 1
In response to JP Miranda Z

‎10-03-2016 02:01 AM

Opps, err forgot to add the plan was full tunnel and use a proxy server while connected to give users web access.  

This actually works, so users can access MSN, Google etc. as long as it's only HTTP or HTTPS traffic it's all working...

0 Helpful
Customers Also Viewed These Support Documents