Solved

CISCO ASA any Connect VPN

Posted on 2013-01-30
5
716 Views
Last Modified: 2013-01-31
WE have a CISCO ASA 5505 router and we configure everything on it and it connects to the Internet and we configured any connect VPN but as soon as we connect a client to the VPN that clients computer looses Internet browsing capability. That person can still do remote desktop and access other featured but browsing the Internet does not work.
0
Comment
Question by:kajumblies
  • 3
  • 2
5 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38835575
You need to configure a split tunnel to tell the vpn client which subnets should go across the tunnel. Otherwise it has to assume that all traffic must go across the tunnel.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38835594
Example

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit 10.1.1.0 255.255.255.0

ip local pool VPNCLIENTPOOL 192.168.254.1-192.168.254.50 mask 255.255.255.0

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
!
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

webvpn
port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL

default-domain value company.com

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!
0
 

Author Comment

by:kajumblies
ID: 38835982
I am posting my configs for my router with this post. I also just want to make sure that the network that the cisco router is providing aka internal network can browse Internet with or without VPN enabled. However external users using SSL VPN ANY CONNECT loose browsing capabilities as soon as connection is established
CISCO-asa-5505-new.txt
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38836113
As a general thought, I would avoid using an address pool that overlap with an existing subnet. Consider changing the vpn pool to a subnet that doesn't exist in the network anywhere at the moment. This change also means you will need to add the twice nat/no nat statements.

group-policy Remote-VPN internal
group-policy Remote-VPN attributes
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Remote-VPN_splitTunnelAcl

The above group likely allows the remote user to to use the vpn tunnel as well as internet browse, but this group policy

group-policy test20 internal
group-policy test20 attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list value Intranet
  svc mtu 1406
  svc ask enable

would not because there is no split tunnel acl specified. therefore, you end up with
tunnel all
Also, the ACL
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 host dns1 eq domain
access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 host dns2 eq domain

as it stands allows anything with the first two lines so the rest of the lines are useless/non-functional.
0
 

Author Closing Comment

by:kajumblies
ID: 38839129
Thanks for the quick response
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now