12-12-2017 07:47 AM - edited 03-12-2019 04:49 AM
We have a 5506-X ASA and at present, the AnyConnect client is able to successfully establish a VPN tunnel (IKEv2/IPSec). I am able to ping hosts on my internal LAN over this tunnel but nothing on the internet. I do not want traffic to split tunnel and so I have enabled "Tunnel All Networks" in my group policy. Wireshark at least confirms that the laptop is trying to send the traffic over the tunnel. Pings to 8.8.8.8 just timeout. Hoping to get some advice on where to look for this issue.
Solved! Go to Solution.
12-18-2017 02:23 PM
This has been squared away. TAC removed the ip any any match on my crypto map and everything now works.
12-12-2017 07:51 AM
Hello @Joel Jackson,
Did check the NAT for the U-Turn? let´s say nat (outside,outside) dynamic interface...
Other thing will be the same-security-traffic permit intra-interface, can you check this also? "show run same-security-traffic"
Also, can you share your config in order to look further.
HTH
Gio
12-12-2017 08:00 AM
12-12-2017 08:07 AM
Hello @Joel Jackson,
Yes sure, you can send me the config through private message.
According to the NAT, you are doing a NAT Exemption and the NAT for Internet should for the Interface in order to browse with the outside IP address of the ASA.
I would say remove the one you have configured and apply the following:
nat (outside,outside) source dynamic AnyConnect-Pool interface
HTH
Gio
12-12-2017 08:28 AM - edited 12-12-2017 08:28 AM
Sending the config over now. The reason there is an exempt nat for that traffic is because the "outside" interface is actually in a DMZ behind a firewall. The NATing should be left for the firewall (has the public IPs) to do.
12-18-2017 02:23 PM
This has been squared away. TAC removed the ip any any match on my crypto map and everything now works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide