problems with AnyConnect in ASA 5510 Ver. 8.4(2)

Posted on 2011-10-03
Last Modified: 2012-05-12

currently my setup is :
Router ------ASA------SW
my servers in my datacenter are using as a Default gateway(Router), but i want to change it and start using ACL in my ASA which is

I got an issue using anyconnect, client can connect  and receiving the following info from ASA :
IPv4 Address. . . . . . . . . . . :
  Subnet Mask . . . . . . . . . . . :
  Default Gateway . . . . . . . . . :
  DHCPv6 IAID . . . . . . . . . . . : 1107297690
  DNS Servers . . . . . . . . . . . :

how can configure the ASA to assign the as a defautl gateway when the client connect to the vpn?
ASA and Router can see each other.

thanks in advance.

asa01# show run
: Saved
ASA Version 8.4(2)
hostname asa01
enable password 7xElFFjIAHUx9Pr encrypted
passwd 2KFQnDDD.dI.2KYOU encrypted
interface Ethernet0/0
 nameif OutSide
 security-level 0
 ip address 6X.XXX.XX.140
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
banner motd           ** WARNING **
banner motd Unauthorized access prohibited. all access is
banner motd monitored, and trespassers shall be prosecuted
banner motd to the fullest extent of the law. 
ftp mode passive
dns server-group DefaultDNS
object network TC_10.10.12.0
object network VPN_10.10.25.0
 nat (OutSide,OutSide) dynamic interface
object network ANY-
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
access-list splittunnel standard permit
pager lines 24
mtu OutSide 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnpool netmask
same-security-traffic permit intra-interface
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,OutSide) source static TC_10.10.12.0 TC_10.10.12.0 destination static VPN_10.10.25.0 VPN_10.10.25.0
object network ANY-
 nat (inside,OutSide) dynamic interface
access-group outside-in in interface OutSide
route OutSide 6X.XXX.XX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http redirect OutSide 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint localtrust
 enrollment self
 keypair webvpn
 crl configure
crypto ca certificate chain localtrust
 certificate 123d7c4e
    30820217 30820180 a0030201 02020412 3d7c4e30 0d06092a 864886f7 0d010105
    05003050 31233021 06035504 03131a77 65627670 6e2e7468 65746963 6b657463
    6c696e69 632e636f 6d312930 2706092a 864886f7 0d010902 161a7765 6276706e
    2e746865 7469636b 6574636c 696e6963 2e636f6d 301e170d 31313039 32333039
    35313038 5a170d32 31303932 30303935 3130385a 30503123 30210603 55040313
    1a776562 76706e2e 74686574 69636b65 74636c69 6e69632e 636f6d31 29302706
    d71ea3b8 1d49c87b b23e0db7 4bd6ac4b c728d399 99904978 a0795e02 04997d4d
    c3686a5a 9ddf0f20 5f9b2da3 1b8f010c 489b867f 991bd31c f520e6
telnet timeout 5
ssh OutSide
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust OutSide
 enable OutSide
 anyconnect image disk0:/anyconnect-dart-win-2.5.3051-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy AnyConnect-Policy internal
group-policy AnyConnect-Policy attributes
 dns-server value
 vpn-tunnel-protocol ssl-client ssl-clientless
  anyconnect keep-installer installed
  anyconnect ask enable default anyconnect timeout 20
username asa01 password 4FuE2Xuw1DD9F60 encrypted
username ssluser1 password 1ZUfK6gDDTDib encrypted
username ssluser1 attributes
 service-type remote-access
tunnel-group TCVPNUsers type remote-access
tunnel-group TCVPNUsers general-attributes
 address-pool vpnpool
 default-group-policy AnyConnect-Policy
tunnel-group TCVPNUsers webvpn-attributes
 group-alias sslgroup_users enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Open in new window

Question by:juanchisv
    LVL 18

    Accepted Solution

    The default gateway needs to be in the same subnet as the IP address assigned to the host.

    What is the problem you're trying to solve?  Are VPN clients not able to get to internal resources?  There are several potential causes of this including (mainly) internal routing and NAT.  You appear to be doing the correct "no-nat" configuration so the ASA doesn't attempt to NAT internal traffic going to VPN clients.  Does the router know where the VPN subnet is located?  There's no dynamic routing on the ASA so it's not advertising the VPN pool to other devices.

    Author Comment

    thanks again for your response,
    there was a NAT issue, i added to my router the following line
    "ip route"

    and that resolve the problem.

    thanks again

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
    If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now