05-03-2012 11:51 PM
I'm configuring AnyConnect VPN on an ASA 5505 version 8.2(5) - Users CAN authenticate and establish a connection to the router, RDP to internal resources and resolve DNS. Split tunneling is configured (not sure if this is correct)
When a client connects to the "clientless SSL VPN Portal" they are able to browse to the initial page of a website, but can't really browse a site.
Please see config below:
======================================
: ASA Version 8.2(5) ! hostname ASA5505 domain-name ProActiveDebt.Local enable password xow7Gwuc8Clpqi9y encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 72.214.13.96 ExternalGateway description Cox Cable Default Gateway ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 72.214.13.99 255.255.255.240 ! interface Vlan5 no nameif security-level 50 ip address 172.168.2.1 255.255.255.0 ! ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.1.100 domain-name ProActiveDebt.Local object-group service rdp-alt tcp port-object eq 4000 object-group service rdp tcp port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in remark allow people to ping our router access-list outside_access_in extended permit icmp any interface outside access-list outside_access_in remark rdp access to server access-list outside_access_in extended permit tcp any host 72.214.13.101 object-group rdp access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit object-group TCPUDP any any eq www access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.192 access-list inside_nat0_outbound extended permit ip host 192.168.1.100 192.168.100.0 255.255.255.192 access-list LOCAL-ACCESS standard permit 192.168.1.0 255.255.255.0 access-list Split_Tunnel_List remark Corporate network behind ASA access-list Split_Tunnel_List standard permit any pager lines 24 logging enable logging asdm notifications mtu inside 1500 mtu outside 1500 ip local pool VPN_IP_Pool 192.168.100.10-192.168.100.200 mask 255.255.0.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (outside,inside) 192.168.1.100 72.214.13.101 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ExternalGateway 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy webvpn http-proxy enable url-entry enable aaa-server ActiveDirectory protocol radius aaa-server ActiveDirectory (inside) host 192.168.1.100 timeout 5 key ***** http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.100.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint ASDM_SelfSignedCert enrollment self subject-name CN=ASA5505 crl configure crypto ca certificate chain ASDM_SelfSignedCert certificate 7c7a984f 308201ef 30820158 a0030201 0202047c 7a984f30 0d06092a 864886f7 0d010105 0500303c 3110300e 06035504 03130741 53413535 30353128 30260609 2a864886 f70d0109 02161941 53413535 30352e50 726f4163 74697665 44656274 2e636f6d 301e170d 31323035 30313136 31303539 5a170d32 32303432 39313631 3035395a 303c3110 300e0603 55040313 07415341 35353035 31283026 06092a86 4886f70d 01090216 19415341 35353035 2e50726f 41637469 76654465 62742e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b8 98e9e610 4200a0b6 dea41780 8b261652 51ffd039 84767735 98908518 fe91477e 337d1ad1 18d03266 bf74d3b5 8504a676 b1def432 7e5935a5 5af52930 bc26a28a 2bbdc0c3 e2fa1262 ccb3be89 fb998f3b e4d54445 089dcc62 cc770625 484d5248 c0cff746 922d1efe 669057ea 96cfb216 c0b5ce9f e142eb09 b45d2168 cf7cc502 03010001 300d0609 2a864886 f70d0101 05050003 8181007c eb185d4d 743b245f 5f58f6f6 1773a980 abe8516b f8738720 062ce55b f47efa1c fe76d281 dce50c1d 557fe095 34e3f361 07c0939a a5f9d822 93b5a6fe d28131a4 c5bd2c54 c5950567 1e05335c a0266110 15c54299 8f3fc64a e31e8f86 bd7a423d 0f5e31c5 74fdb0d6 84993fb9 e3a21c3e cf683e33 25ed5ef5 63dfc2e2 853dc7 quit crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 192.168.100.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd dns 192.168.1.100 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd dns 192.168.1.100 interface inside dhcpd auto_config outside interface inside dhcpd update dns both interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1 svc enable group-policy DfltGrpPolicy attributes dns-server value 192.168.1.100 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn default-domain value ProActiveDebt.Local group-policy VPN_Group_Policy internal group-policy VPN_Group_Policy attributes dns-server value 192.168.1.100 vpn-tunnel-protocol IPSec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value Split_Tunnel_List default-domain value ProActiveDebt.Local address-pools value VPN_IP_Pool webvpn svc keep-installer installed svc ask none default webvpn username bvinciguerra password LXsO1hP.z7Hb/bLF encrypted privilege 15 username fcolson password /XdEajHu4jAj384z encrypted privilege 15 tunnel-group DefaultWEBVPNGroup general-attributes address-pool VPN_IP_Pool tunnel-group AnyConnect-VPN type remote-access tunnel-group AnyConnect-VPN general-attributes address-pool VPN_IP_Pool authentication-server-group ActiveDirectory default-group-policy VPN_Group_Policy dhcp-server 192.168.1.100 tunnel-group ProactiveVPN type remote-access tunnel-group ProactiveVPN general-attributes address-pool VPN_IP_Pool authentication-server-group ActiveDirectory LOCAL default-group-policy VPN_Group_Policy dhcp-server 192.168.1.100 tunnel-group ProactiveVPN ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:30a952bee2566621fd2dcddd1afe5856 : end asdm location ExternalGateway 255.255.255.255 inside asdm location 72.214.13.101 255.255.255.255 inside no asdm history enable
05-08-2012 06:32 PM
If you monitor a specific user connection, you can look at the ACL applied to there connection. Without looking any further, does the website have links to more than one IP address. Also, you can look at the route table on the connecting pc to see what traffic is being tunneled. One best practice is to not allow split tunneling.
Thanks
Alex
Sent from Cisco Technical Support iPhone App
05-09-2012 11:11 AM
Our remote VPN clients need to access a website that requires our Public IP (gateway address) for access. Split tunneling will show all remote traffic as the Gateway address.
Yes, the site has links to several IP Addresses
VPN Details
Non-secure routes = none
Secure Routes = 0.0.0.0
I will monitor the user connection and find the ACL that is blocking this action.
Thanks,
Brian Vinciguerra |VP of Technology
Audax, Inc.
Office (760) 727-4562
Cell (619) 894-0284
Fax (760) 727-4566
www.audaxcomm.net
<>> Description: Description: cid:image001.jpg@01CBC2B9.0E47B5B0 <> cid:image004.jpg@01CCBFF6.7387C740>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide