Cisco ASA 5504, anyconnect, Internet access

Attempting to setup SSL VPN connection that will coexist with IPSEC VPN clients.

The clients connect but cannot browse thier local internet. They can however access internal resources including internal websites.

Default gateway on the client is all zeros.

I have searched and searched and tried many options but i cannot get this to work. Before i call cisco for config assitance. i thought i would give this a try. Pertinent configurations is included in this post. Does anyone have a idea what is wrong. And the ipsec clients work fine.
interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif Outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.192 standby xx.xx.xx.xx
!
interface GigabitEthernet0/1
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 10.15.1.4 255.255.255.0 standby 10.15.1.5 
 
object-group network VPNNetworks
 network-object 10.0.0.0 255.0.0.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
 
object-group network vpn_clients
 network-object 10.15.16.0 255.255.255.0
 network-object 10.15.17.0 255.255.255.0
 network-object 10.15.18.0 255.255.255.0
 network-object 10.15.19.0 255.255.255.0
 network-object 10.15.20.0 255.255.255.0
 
object-group network tunnel
 network-object 10.0.0.0 255.0.0.0
 network-object 12.41.97.96 255.255.255.240
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
 
access-list stunnel extended permit ip object-group VPNNetworks object-group vpn_clients 
access-list stunnel extended permit ip 172.16.0.0 255.255.0.0 object-group vpn_clients 
 
ip local pool ippool_soft 10.15.16.1-10.15.20.254
 
webvpn
 enable Outside
 svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.2.0136-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.2.0136-k9.pkg 3
 svc enable
 tunnel-group-list enable
 
 
group-policy telecommuters internal
group-policy telecommuters attributes
 wins-server value 10.15.2.150 10.21.2.150
 dns-server value 10.15.2.150 10.21.2.150
 vpn-idle-timeout 240
 vpn-tunnel-protocol svc webvpn
 split-tunnel-network-list value stunnel
 default-domain value mm.prv
 split-dns value mm.prv
 webvpn       
  svc dtls enable
  svc dpd-interval client 10
  svc dpd-interval gateway 30
  svc compression none
  svc ask enable default webvpn timeout 10
 
tunnel-group telecommuters type remote-access
 
tunnel-group telecommuters general-attributes
 address-pool ippool_soft
 authentication-server-group mm-vpn LOCAL
 authentication-server-group (Outside) mm-vpn
 accounting-server-group mm-vpn
 default-group-policy telecommuters
 
tunnel-group telecommuters webvpn-attributes
 group-alias telecommuters enable
 
tunnel-group telecommuters ipsec-attributes
 pre-shared-key *

Open in new window

lan78Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bignewfCommented:
Hello, lan78

Your split-tunnel config looks correct for your network object groups, and I see your ACL's are linked to your group policy "split-tunnel-network-list value stunnel"

What you might want to check, and it is easier to see in the ASDM gui, is to make sure the defaultwebvpngroup (if you are using this group for your SSL VPN clients) is inheriting the group policy that your split-tunnel networks are configured for.

I have found in different models of the ASA, that even though the CLI is correct, I re-check the ASDM to see if the config is duplicated there.  Cisco has advised me there are issues with the CLI being out of sync with with the ASDM. I actually had an issue where my access-lists stopped working in a 5510, cisco stated the CLI was correctly configured, and as it turned out - the asdm did not have all the same access lists!

This sounds silly, but it's worth an extra few minutes
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lan78Author Commented:
i called cisco and the above response is exactly what the issue was.

It had to be done in asdm and i did this thru CLI.

thanks, problem is solved.
0
bignewfCommented:
Glad I could help.  

Good Luck
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.