Cisco ASA 5504, anyconnect, Internet access

Posted on 2008-11-12
Last Modified: 2012-05-05
Attempting to setup SSL VPN connection that will coexist with IPSEC VPN clients.

The clients connect but cannot browse thier local internet. They can however access internal resources including internal websites.

Default gateway on the client is all zeros.

I have searched and searched and tried many options but i cannot get this to work. Before i call cisco for config assitance. i thought i would give this a try. Pertinent configurations is included in this post. Does anyone have a idea what is wrong. And the ipsec clients work fine.
interface GigabitEthernet0/0

 speed 100

 duplex full

 nameif Outside

 security-level 0

 ip address xx.xx.xx.xx standby xx.xx.xx.xx


interface GigabitEthernet0/1

 speed 1000

 duplex full

 nameif inside

 security-level 100

 ip address standby 

object-group network VPNNetworks






object-group network vpn_clients






object-group network tunnel







access-list stunnel extended permit ip object-group VPNNetworks object-group vpn_clients 

access-list stunnel extended permit ip object-group vpn_clients 

ip local pool ippool_soft


 enable Outside

 svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 1

 svc image disk0:/anyconnect-macosx-i386-2.2.0136-k9.pkg 2

 svc image disk0:/anyconnect-linux-2.2.0136-k9.pkg 3

 svc enable

 tunnel-group-list enable

group-policy telecommuters internal

group-policy telecommuters attributes

 wins-server value

 dns-server value

 vpn-idle-timeout 240

 vpn-tunnel-protocol svc webvpn

 split-tunnel-network-list value stunnel

 default-domain value mm.prv

 split-dns value mm.prv


  svc dtls enable

  svc dpd-interval client 10

  svc dpd-interval gateway 30

  svc compression none

  svc ask enable default webvpn timeout 10

tunnel-group telecommuters type remote-access

tunnel-group telecommuters general-attributes

 address-pool ippool_soft

 authentication-server-group mm-vpn LOCAL

 authentication-server-group (Outside) mm-vpn

 accounting-server-group mm-vpn

 default-group-policy telecommuters

tunnel-group telecommuters webvpn-attributes

 group-alias telecommuters enable

tunnel-group telecommuters ipsec-attributes

 pre-shared-key *

Open in new window

Question by:lan78
    LVL 15

    Accepted Solution

    Hello, lan78

    Your split-tunnel config looks correct for your network object groups, and I see your ACL's are linked to your group policy "split-tunnel-network-list value stunnel"

    What you might want to check, and it is easier to see in the ASDM gui, is to make sure the defaultwebvpngroup (if you are using this group for your SSL VPN clients) is inheriting the group policy that your split-tunnel networks are configured for.

    I have found in different models of the ASA, that even though the CLI is correct, I re-check the ASDM to see if the config is duplicated there.  Cisco has advised me there are issues with the CLI being out of sync with with the ASDM. I actually had an issue where my access-lists stopped working in a 5510, cisco stated the CLI was correctly configured, and as it turned out - the asdm did not have all the same access lists!

    This sounds silly, but it's worth an extra few minutes

    Author Closing Comment

    i called cisco and the above response is exactly what the issue was.

    It had to be done in asdm and i did this thru CLI.

    thanks, problem is solved.
    LVL 15

    Expert Comment

    Glad I could help.  

    Good Luck

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now