Solved

ASA - No Splittunnel - Working - But no Internet

Posted on 2011-09-16
4
1,060 Views
Last Modified: 2013-03-12
So I have my Anyconnect clients working with split tunnel great, they get internet and private network. But I want to tunnel all traffic and that works great for private network but they dont get internet. All of my internal clients get internet via PAT on the ASA great.

I tried the default tunnel gateway but that didnt help. The default gateway assigned when connected is .1 on the /24 that I gave to the VPN remote users and no ping of that IP and no route to the net, but it works for all of my internal networks.

Parts of the config pasted below.

Thx

ASA Version 8.4(2)
!
hostname CRP-ASA-5520
names
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 11.11.11.11 255.255.255.0
 ospf cost 10
 ospf database-filter all out
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.1.5.5 255.255.255.0
 management-only
!

boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list Enterprise standard permit 10.0.0.0 255.0.0.0
access-list Enterprise standard permit 192.168.0.0 255.255.0.0
access-list Outside_cryptomap extended permit ip any object Corp-LAB-10.254.1.0
access-list Outside_cryptomap_1 extended permit ip any object Corp-LAB-10.254.1.0

arp timeout 14400
nat (Inside,Outside) source static EnterpriseNet EnterpriseNet destination static Corp-VPN-10.1.55.0 Corp-VPN-10.1.55.0
!
nat (Inside,Outside) after-auto source dynamic any Default-Nat
access-group Outside_access_in in interface Outside
!
router ospf 1
 router-id 10.1.1.1
 network 10.0.0.0 255.0.0.0 area 0
 network 192.168.0.0 255.255.0.0 area 0
 area 0 authentication message-digest
 log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 11.11.11.11 1
route Inside 10.0.0.0 255.0.0.0 10.1.1.2 1
route Inside 192.168.0.0 255.255.0.0 10.1.1.2 1
route Inside 0.0.0.0 0.0.0.0 10.1.1.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs group5
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal 3DES AES AES192 AES256 DES
crypto map Outside_map 1 set ikev2 pre-shared-key *****
crypto map Outside_map 1 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint GD
crypto ikev1 enable Outside
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 2
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 3
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
client-update enable
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
vpn-sessiondb max-other-vpn-limit 750
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
vpn load-balancing
 redirect-fqdn enable
 interface lbpublic Outside
 interface lbprivate Inside
dhcp-client update dns server both
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
ssl trust-point GD Inside
ssl trust-point GD management
ssl trust-point GD Outside
webvpn
 enable Outside
 csd image disk0:/csd/csd_3.6.185-k9.pkg
 csd hostscan image disk0:/hostscan/hostscan_3.0.4216-k9.pkg
 csd enable
 anyconnect image disk0:/anyconnect/anyconnect-macosx-i386-3.0.3054-k9.pkg 2 regex "Intel Mac OS X"
 anyconnect image disk0:/anyconnect/anyconnect-macosx-powerpc-2.5.3054-k9.pkg 3 regex "PPC Mac OS X"
 anyconnect image disk0:/anyconnect/anyconnect-linux-3.0.3054-k9.pkg 4 regex "Linux"
 anyconnect image disk0:/anyconnect/anyconnect-linux-64-3.0.3054-k9.pkg 5
 anyconnect image disk0:/anyconnect/anyconnect-win-3.0.3054-k9.pkg 6 regex "Windows NT"
 anyconnect profiles AC_Client_Profile_IT disk0:/anyconnect/ac_client_profile_it.xml
 anyconnect profiles AC_Client_Profile_VPN disk0:/anyconnect/ac_client_profile_vpn.xml
 anyconnect profiles NetworkAccessManager disk0:/anyconnect/networkaccessmanager.nsp
 anyconnect profiles Websecurity disk0:/anyconnect/websecurity.wsp
 anyconnect profiles Websecurity.wso disk0:/anyconnect/websecurity.wso
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
0
Comment
Question by:gbosko
  • 2
4 Comments
 

Author Comment

by:gbosko
ID: 36554235
Think I may have figured part of it out..  it seems as I need an additional NAT rule on the outside interface for VPN tunnels as I only have a PAT rule on the inside interface.  Can anyone verify?
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 250 total points
ID: 36555365
You are correct.  You have to apply NAT on the outside for the VPN subnet.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 36558575
Have a look at this link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

This describes hairpinning. This might be what you're looking for.
0
 

Author Closing Comment

by:gbosko
ID: 36570878
Hairpinning was already enabled, but the doc had the full answer of hairpinning and nat on the outside interface.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now