?
Solved

ASA - No Splittunnel - Working - But no Internet

Posted on 2011-09-16
4
Medium Priority
?
1,094 Views
Last Modified: 2013-03-12
So I have my Anyconnect clients working with split tunnel great, they get internet and private network. But I want to tunnel all traffic and that works great for private network but they dont get internet. All of my internal clients get internet via PAT on the ASA great.

I tried the default tunnel gateway but that didnt help. The default gateway assigned when connected is .1 on the /24 that I gave to the VPN remote users and no ping of that IP and no route to the net, but it works for all of my internal networks.

Parts of the config pasted below.

Thx

ASA Version 8.4(2)
!
hostname CRP-ASA-5520
names
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 11.11.11.11 255.255.255.0
 ospf cost 10
 ospf database-filter all out
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.1.5.5 255.255.255.0
 management-only
!

boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list Enterprise standard permit 10.0.0.0 255.0.0.0
access-list Enterprise standard permit 192.168.0.0 255.255.0.0
access-list Outside_cryptomap extended permit ip any object Corp-LAB-10.254.1.0
access-list Outside_cryptomap_1 extended permit ip any object Corp-LAB-10.254.1.0

arp timeout 14400
nat (Inside,Outside) source static EnterpriseNet EnterpriseNet destination static Corp-VPN-10.1.55.0 Corp-VPN-10.1.55.0
!
nat (Inside,Outside) after-auto source dynamic any Default-Nat
access-group Outside_access_in in interface Outside
!
router ospf 1
 router-id 10.1.1.1
 network 10.0.0.0 255.0.0.0 area 0
 network 192.168.0.0 255.255.0.0 area 0
 area 0 authentication message-digest
 log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 11.11.11.11 1
route Inside 10.0.0.0 255.0.0.0 10.1.1.2 1
route Inside 192.168.0.0 255.255.0.0 10.1.1.2 1
route Inside 0.0.0.0 0.0.0.0 10.1.1.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs group5
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal 3DES AES AES192 AES256 DES
crypto map Outside_map 1 set ikev2 pre-shared-key *****
crypto map Outside_map 1 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint GD
crypto ikev1 enable Outside
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 2
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 3
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
client-update enable
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
vpn-sessiondb max-other-vpn-limit 750
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
vpn load-balancing
 redirect-fqdn enable
 interface lbpublic Outside
 interface lbprivate Inside
dhcp-client update dns server both
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
ssl trust-point GD Inside
ssl trust-point GD management
ssl trust-point GD Outside
webvpn
 enable Outside
 csd image disk0:/csd/csd_3.6.185-k9.pkg
 csd hostscan image disk0:/hostscan/hostscan_3.0.4216-k9.pkg
 csd enable
 anyconnect image disk0:/anyconnect/anyconnect-macosx-i386-3.0.3054-k9.pkg 2 regex "Intel Mac OS X"
 anyconnect image disk0:/anyconnect/anyconnect-macosx-powerpc-2.5.3054-k9.pkg 3 regex "PPC Mac OS X"
 anyconnect image disk0:/anyconnect/anyconnect-linux-3.0.3054-k9.pkg 4 regex "Linux"
 anyconnect image disk0:/anyconnect/anyconnect-linux-64-3.0.3054-k9.pkg 5
 anyconnect image disk0:/anyconnect/anyconnect-win-3.0.3054-k9.pkg 6 regex "Windows NT"
 anyconnect profiles AC_Client_Profile_IT disk0:/anyconnect/ac_client_profile_it.xml
 anyconnect profiles AC_Client_Profile_VPN disk0:/anyconnect/ac_client_profile_vpn.xml
 anyconnect profiles NetworkAccessManager disk0:/anyconnect/networkaccessmanager.nsp
 anyconnect profiles Websecurity disk0:/anyconnect/websecurity.wsp
 anyconnect profiles Websecurity.wso disk0:/anyconnect/websecurity.wso
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
0
Comment
Question by:gbosko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Author Comment

by:gbosko
ID: 36554235
Think I may have figured part of it out..  it seems as I need an additional NAT rule on the outside interface for VPN tunnels as I only have a PAT rule on the inside interface.  Can anyone verify?
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 1000 total points
ID: 36555365
You are correct.  You have to apply NAT on the outside for the VPN subnet.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1000 total points
ID: 36558575
Have a look at this link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

This describes hairpinning. This might be what you're looking for.
0
 

Author Closing Comment

by:gbosko
ID: 36570878
Hairpinning was already enabled, but the doc had the full answer of hairpinning and nat on the outside interface.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 17 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question