?
Solved

Cisco ASA 5504, anyconnect, Internet access

Posted on 2008-11-12
3
Medium Priority
?
1,055 Views
Last Modified: 2012-05-05
Attempting to setup SSL VPN connection that will coexist with IPSEC VPN clients.

The clients connect but cannot browse thier local internet. They can however access internal resources including internal websites.

Default gateway on the client is all zeros.

I have searched and searched and tried many options but i cannot get this to work. Before i call cisco for config assitance. i thought i would give this a try. Pertinent configurations is included in this post. Does anyone have a idea what is wrong. And the ipsec clients work fine.
interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif Outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.192 standby xx.xx.xx.xx
!
interface GigabitEthernet0/1
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 10.15.1.4 255.255.255.0 standby 10.15.1.5 
 
object-group network VPNNetworks
 network-object 10.0.0.0 255.0.0.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
 
object-group network vpn_clients
 network-object 10.15.16.0 255.255.255.0
 network-object 10.15.17.0 255.255.255.0
 network-object 10.15.18.0 255.255.255.0
 network-object 10.15.19.0 255.255.255.0
 network-object 10.15.20.0 255.255.255.0
 
object-group network tunnel
 network-object 10.0.0.0 255.0.0.0
 network-object 12.41.97.96 255.255.255.240
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
 
access-list stunnel extended permit ip object-group VPNNetworks object-group vpn_clients 
access-list stunnel extended permit ip 172.16.0.0 255.255.0.0 object-group vpn_clients 
 
ip local pool ippool_soft 10.15.16.1-10.15.20.254
 
webvpn
 enable Outside
 svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.2.0136-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.2.0136-k9.pkg 3
 svc enable
 tunnel-group-list enable
 
 
group-policy telecommuters internal
group-policy telecommuters attributes
 wins-server value 10.15.2.150 10.21.2.150
 dns-server value 10.15.2.150 10.21.2.150
 vpn-idle-timeout 240
 vpn-tunnel-protocol svc webvpn
 split-tunnel-network-list value stunnel
 default-domain value mm.prv
 split-dns value mm.prv
 webvpn       
  svc dtls enable
  svc dpd-interval client 10
  svc dpd-interval gateway 30
  svc compression none
  svc ask enable default webvpn timeout 10
 
tunnel-group telecommuters type remote-access
 
tunnel-group telecommuters general-attributes
 address-pool ippool_soft
 authentication-server-group mm-vpn LOCAL
 authentication-server-group (Outside) mm-vpn
 accounting-server-group mm-vpn
 default-group-policy telecommuters
 
tunnel-group telecommuters webvpn-attributes
 group-alias telecommuters enable
 
tunnel-group telecommuters ipsec-attributes
 pre-shared-key *

Open in new window

0
Comment
Question by:lan78
  • 2
3 Comments
 
LVL 15

Accepted Solution

by:
bignewf earned 2000 total points
ID: 22972919
Hello, lan78

Your split-tunnel config looks correct for your network object groups, and I see your ACL's are linked to your group policy "split-tunnel-network-list value stunnel"

What you might want to check, and it is easier to see in the ASDM gui, is to make sure the defaultwebvpngroup (if you are using this group for your SSL VPN clients) is inheriting the group policy that your split-tunnel networks are configured for.

I have found in different models of the ASA, that even though the CLI is correct, I re-check the ASDM to see if the config is duplicated there.  Cisco has advised me there are issues with the CLI being out of sync with with the ASDM. I actually had an issue where my access-lists stopped working in a 5510, cisco stated the CLI was correctly configured, and as it turned out - the asdm did not have all the same access lists!

This sounds silly, but it's worth an extra few minutes
0
 

Author Closing Comment

by:lan78
ID: 31516220
i called cisco and the above response is exactly what the issue was.

It had to be done in asdm and i did this thru CLI.

thanks, problem is solved.
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22973181
Glad I could help.  

Good Luck
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month16 days, 15 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question