Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
0
Helpful
5
Replies

Unable to Reach the Internet Over AnyConnect VPN

Go to solution
Joel Jackson
Level 1
Level 1

‎12-12-2017 07:47 AM - edited ‎03-12-2019 04:49 AM

We have a 5506-X ASA and at present, the AnyConnect client is able to successfully establish a VPN tunnel (IKEv2/IPSec). I am able to ping hosts on my internal LAN over this tunnel but nothing on the internet. I do not want traffic to split tunnel and so I have enabled "Tunnel All Networks" in my group policy. Wireshark at least confirms that the laptop is trying to send the traffic over the tunnel. Pings to 8.8.8.8 just timeout. Hoping to get some advice on where to look for this issue.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joel Jackson
Level 1
Level 1

‎12-18-2017 02:23 PM

This has been squared away. TAC removed the ip any any match on my crypto map and everything now works.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
GioGonza
Level 4
Level 4

‎12-12-2017 07:51 AM

Hello @Joel Jackson

 

Did check the NAT for the U-Turn? let´s say nat (outside,outside) dynamic interface...

 

Other thing will be the same-security-traffic permit intra-interface, can you check this also? "show run same-security-traffic"

 

Also, can you share your config in order to look further. 

 

HTH

Gio

0 Helpful

Go to solution
Joel Jackson
Level 1
Level 1
In response to GioGonza

‎12-12-2017 08:00 AM

I have the following NAT setup for testing purposes:

nat (outside,outside) source static AnyConnect-Pool AnyConnect-Pool destination static Google-DNS-B no-proxy-arp

ASA# sh run same-security-traffic
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

As for the whole config. Would it be OK to send it in a private message?
0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to Joel Jackson

‎12-12-2017 08:07 AM

Hello @Joel Jackson

 

Yes sure, you can send me the config through private message. 

 

According to the NAT, you are doing a NAT Exemption and the NAT for Internet should for the Interface in order to browse with the outside IP address of the ASA. 

 

I would say remove the one you have configured and apply the following: 

 

nat (outside,outside) source dynamic AnyConnect-Pool interface

 

HTH

Gio

0 Helpful

Go to solution
Joel Jackson
Level 1
Level 1
In response to GioGonza

‎12-12-2017 08:28 AM - edited ‎12-12-2017 08:28 AM

Sending the config over now. The reason there is an exempt nat for that traffic is because the "outside" interface is actually in a DMZ behind a firewall. The NATing should be left for the firewall (has the public IPs) to do. 

0 Helpful

Go to solution
Joel Jackson
Level 1
Level 1

‎12-18-2017 02:23 PM

This has been squared away. TAC removed the ip any any match on my crypto map and everything now works.

0 Helpful
Customers Also Viewed These Support Documents