problems with AnyConnect in ASA 5510 Ver. 8.4(2)

juanchisv used Ask the Experts™
Hello Techs,

i'm new in the cisco ASA stuff, but i 'm trying to setup a anyconnect with an ASA 5510. the problem  is that i can't get out to the internet or access any server.
first at all ,i can connect to the vpn with user created in the ASA and i got an ip from the ASA (  which is good too, my problem is that the default gateway showing for the vpn is (i'm not sure why) , and when i tried to ping my servers which are in the subnet getting time out.
i'm not sure if something is missging in my config , please advice.

asa01# show run
: Saved
ASA Version 8.4(2)
hostname asa01
enable password 7xElFFjIAHUx9Pr encrypted
passwd 2KFQnDDD.dI.2KYOU encrypted
interface Ethernet0/0
 nameif OutSide
 security-level 0
 ip address 6X.XXX.XX.140
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
banner motd           ** WARNING **
banner motd Unauthorized access prohibited. all access is
banner motd monitored, and trespassers shall be prosecuted
banner motd to the fullest extent of the law. 
ftp mode passive
dns server-group DefaultDNS
object network TC_10.10.12.0
object network VPN_10.10.25.0
object network ANY-
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
access-list splittunnel standard permit
pager lines 24
mtu OutSide 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnpool
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,OutSide) source static TC_10.10.12.0 TC_10.10.12.0 destination static VPN_10.10.25.0 VPN_10.10.25.0
object network ANY-
 nat (inside,OutSide) dynamic interface
access-group outside-in in interface OutSide
route OutSide 6X.XXX.XX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http redirect OutSide 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint localtrust
 enrollment self
 keypair webvpn
 crl configure
crypto ca certificate chain localtrust
 certificate 123d7c4e
    30820217 30820180 a0030201 02020412 3d7c4e30 0d06092a 864886f7 0d010105
    05003050 31233021 06035504 03131a77 65627670 6e2e7468 65746963 6b657463
    6c696e69 632e636f 6d312930 2706092a 864886f7 0d010902 161a7765 6276706e
    2e746865 7469636b 6574636c 696e6963 2e636f6d 301e170d 31313039 32333039
    35313038 5a170d32 31303932 30303935 3130385a 30503123 30210603 55040313
    1a776562 76706e2e 74686574 69636b65 74636c69 6e69632e 636f6d31 29302706
    d71ea3b8 1d49c87b b23e0db7 4bd6ac4b c728d399 99904978 a0795e02 04997d4d
    c3686a5a 9ddf0f20 5f9b2da3 1b8f010c 489b867f 991bd31c f520e6
telnet timeout 5
ssh OutSide
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust OutSide
 enable OutSide
 anyconnect image disk0:/anyconnect-dart-win-2.5.3051-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy AnyConnect-Policy internal
group-policy AnyConnect-Policy attributes
 dns-server value
 vpn-tunnel-protocol ssl-client ssl-clientless
  anyconnect keep-installer installed
  anyconnect ask enable default anyconnect timeout 20
username asa01 password 4FuE2Xuw1DD9F60 encrypted
username ssluser1 password 1ZUfK6gDDTDib encrypted
username ssluser1 attributes
 service-type remote-access
tunnel-group TCVPNUsers type remote-access
tunnel-group TCVPNUsers general-attributes
 address-pool vpnpool
 default-group-policy AnyConnect-Policy
tunnel-group TCVPNUsers webvpn-attributes
 group-alias sslgroup_users enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Open in new window

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Architect
So first, for internet access, you need to NAT traffic coming in from the outside in the VPN to "hairpin" back out the outside interface.  For that you need:

same-security-traffic permit intra-interface

object network VPN_10.10.25.0
 nat (OutSide,OutSide) dynamic interface

Regarding access to the inside devices, what are those devices using as their default gateway?  What I'm getting at is -- do they know where the VPN address pool is located?  You've done the "no NAT" command to keep traffic from the inside to the VPN subnet from being NATed, so that's good, that is required.  Looking for what else might be the cause.


hello jmeggers;

thanks for your quick response.
internet is working but really slow( i'm using my dns servers, should i use the ISP dns instead ??)

i currently have 3 devices en the Datacenter, router, asa and switch, originally everything is using the router to get the internet and i'm using the router for all ACLs which i'd like to change for the ASA, from the ASA i can ping the router no issue at all, i'm assuming now whith those changes my new defautl gateway should be which is the ASA , am i right? where do i need to configure the Default gateway for vpn connections,?  

thanks again,


hello jmeggers,

just an update i made a change in the ASA :
"ip local pool vpnpool"  and i changed it to "ip local pool vpnpool netmask"
with that change i'm getting now default Gateway : 1010.25.2.
but still cannot access any of my servers remotly.


IPv4 Address. . . . . . . . . . . :
  Subnet Mask . . . . . . . . . . . :
  Default Gateway . . . . . . . . . :
  DHCPv6 IAID . . . . . . . . . . . : 1107297690
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-8E-13-47-60-EB-6

  DNS Servers . . . . . . . . . . . :

Open in new window

John MeggersNetwork Architect

Hi, sorry for the delay.  Not sure if this is still an issue for you, or whether you figured something out.  What do the hosts on the inside LAN use as their default gateway, and if that gateway is not the ASA (it's another router or switch) does that router or switch know where the network is located?  If it doesn't know that the ASA is where it should send traffic destined for that address block, then it will send the traffic to its default route, which may or may not be correct.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial