Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2744
Views
5
Helpful
3
Replies

VPN AnyConnect cannot browse internet

Go to solution
SteveNode03
Level 1
Level 1

‎11-14-2016 07:36 PM - edited ‎02-21-2020 09:03 PM

I cant get the VPN user to browse once connected to the ASA.  Any ideas?  Ive followed a few articles on cisco and nothing seems to work. 

Can someone help?

Here is my syntax for the ASA:

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ET-FW
enable password @#@#@#@# encrypted
names
ip local pool AnyConnect-VPN-Pool 10.10.10.10-10.10.10.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
 description WAN
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/2
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
ftp mode passive
object network INSIDE_SUBNET
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_25
 subnet 10.10.10.0 255.255.255.128
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Split-ACL standard permit 192.168.1.0 255.255.255.0
access-list Split-ACL standard permit 10.10.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_25 NETWORK_OBJ_10.10.10.0_25 no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn web.domain.com
 email email@email.com
 subject-name CN=ET-FW
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate bcb01258
    308202f6 308201de a0030201 020204bc b0125830 0d06092a 864886f7 0d010105
    0500303d 31133011 06035504 03130a56 616e6372 65737446 57312630 2406092a
    864886f7 0d010902 16177661 6e637265 73742e67 6f68656c 70646573 6b2e636f
 
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh 172.16.1.0 255.255.255.0 management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 5

ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.2.01035-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/anyconnect-macosx-i386-4.2.01035-k9.pkg 2 regex "Intel Mac OS X"
 anyconnect image disk0:/anyconnect-linux-64-4.2.01035-k9.pkg 3 regex "Linux"
 anyconnect profiles AnyConnect-VPN-Users_client_profile disk0:/AnyConnect-VPN-Users_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 tunnel-group-preference group-url
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_AnyConnect-VPN-Users internal
group-policy GroupPolicy_AnyConnect-VPN-Users attributes
 wins-server none
 dns-server value 192.168.1.5
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value web.domain.com
 webvpn
  anyconnect profiles value AnyConnect-VPN-Users_client_profile type user
group-policy AnyConnect-VPN-Users internal
group-policy AnyConnect-VPN-Users attributes
 dns-server value 192.168.1.5
 vpn-tunnel-protocol ikev2
 password-storage disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-ACL
dynamic-access-policy-record DfltAccessPolicy
username EndUser password yccb73J3Q3D/V3123il8Js encrypted
tunnel-group AnyConnect-VPN-Users type remote-access
tunnel-group AnyConnect-VPN-Users general-attributes
 address-pool AnyConnect-VPN-Pool
 default-group-policy GroupPolicy_AnyConnect-VPN-Users
tunnel-group AnyConnect-VPN-Users webvpn-attributes
 group-alias AnyConnect-VPN-Users enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ce2b5a1e56e2453aaab639c980db4dea
: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mdussana
Level 1
Level 1

‎11-15-2016 04:51 AM

Hi Stephen,

I realized you have two different group policies, one which you don't have a split tunnel rule configured.

group-policy GroupPolicy_AnyConnect-VPN-Users internal
group-policy GroupPolicy_AnyConnect-VPN-Users attributes
 wins-server none
 dns-server value 192.168.1.5
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value web.domain.com
 webvpn
  anyconnect profiles value AnyConnect-VPN-Users_client_profile type user
group-policy AnyConnect-VPN-Users internal
group-policy AnyConnect-VPN-Users attributes
 dns-server value 192.168.1.5
 vpn-tunnel-protocol ikev2
 password-storage disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-ACL

An the group policy that you have configured in your Tunnel Group is  GroupPolicy_AnyConnect-VPN-Users.

tunnel-group AnyConnect-VPN-Users type remote-access
tunnel-group AnyConnect-VPN-Users general-attributes
 address-pool AnyConnect-VPN-Pool
 default-group-policy GroupPolicy_AnyConnect-VPN-Users
tunnel-group AnyConnect-VPN-Users webvpn-attributes
 group-alias AnyConnect-VPN-Users enable

So, most probably that is the issue you are having. You should either configure the proper group policy under your tunnel group, or modify your current group policy to have the same Split Tunnel rule.

It is not necessary to include the AnyConnect pool on your SplitTunnel ACL, not recommended actually.

View solution in original post

3 Replies 3

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎11-14-2016 09:14 PM

Hi ,

Can you share the output of show vpn-sessiondb anyconnect filter name <username> when you connect to Anyconnect ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
mdussana
Level 1
Level 1

‎11-15-2016 04:51 AM

Hi Stephen,

I realized you have two different group policies, one which you don't have a split tunnel rule configured.

group-policy GroupPolicy_AnyConnect-VPN-Users internal
group-policy GroupPolicy_AnyConnect-VPN-Users attributes
 wins-server none
 dns-server value 192.168.1.5
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value web.domain.com
 webvpn
  anyconnect profiles value AnyConnect-VPN-Users_client_profile type user
group-policy AnyConnect-VPN-Users internal
group-policy AnyConnect-VPN-Users attributes
 dns-server value 192.168.1.5
 vpn-tunnel-protocol ikev2
 password-storage disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-ACL

An the group policy that you have configured in your Tunnel Group is  GroupPolicy_AnyConnect-VPN-Users.

tunnel-group AnyConnect-VPN-Users type remote-access
tunnel-group AnyConnect-VPN-Users general-attributes
 address-pool AnyConnect-VPN-Pool
 default-group-policy GroupPolicy_AnyConnect-VPN-Users
tunnel-group AnyConnect-VPN-Users webvpn-attributes
 group-alias AnyConnect-VPN-Users enable

So, most probably that is the issue you are having. You should either configure the proper group policy under your tunnel group, or modify your current group policy to have the same Split Tunnel rule.

It is not necessary to include the AnyConnect pool on your SplitTunnel ACL, not recommended actually.

Go to solution
SteveNode03
Level 1
Level 1
In response to mdussana

‎11-15-2016 03:15 PM

Hi - Thank you so much! I removed the second group I created and applied the Split-ACL to the first group.  My issue was I setting up the second group based on the article I found on Cisco.  This solved my issue.

Stephen

0 Helpful
Customers Also Viewed These Support Documents