[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


CISCO ASA any Connect VPN

Posted on 2013-01-30
Medium Priority
Last Modified: 2013-01-31
WE have a CISCO ASA 5505 router and we configure everything on it and it connects to the Internet and we configured any connect VPN but as soon as we connect a client to the VPN that clients computer looses Internet browsing capability. That person can still do remote desktop and access other featured but browsing the Internet does not work.
Question by:kajumblies
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 20

Expert Comment

ID: 38835575
You need to configure a split tunnel to tell the vpn client which subnets should go across the tunnel. Otherwise it has to assume that all traffic must go across the tunnel.
LVL 20

Accepted Solution

rauenpc earned 2000 total points
ID: 38835594

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit

ip local pool VPNCLIENTPOOL mask

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL

default-domain value company.com

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx

Author Comment

ID: 38835982
I am posting my configs for my router with this post. I also just want to make sure that the network that the cisco router is providing aka internal network can browse Internet with or without VPN enabled. However external users using SSL VPN ANY CONNECT loose browsing capabilities as soon as connection is established
LVL 20

Expert Comment

ID: 38836113
As a general thought, I would avoid using an address pool that overlap with an existing subnet. Consider changing the vpn pool to a subnet that doesn't exist in the network anywhere at the moment. This change also means you will need to add the twice nat/no nat statements.

group-policy Remote-VPN internal
group-policy Remote-VPN attributes
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Remote-VPN_splitTunnelAcl

The above group likely allows the remote user to to use the vpn tunnel as well as internet browse, but this group policy

group-policy test20 internal
group-policy test20 attributes
 vpn-tunnel-protocol svc webvpn
  url-list value Intranet
  svc mtu 1406
  svc ask enable

would not because there is no split tunnel acl specified. therefore, you end up with
tunnel all
Also, the ACL
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any eq https
access-list inside_access_in extended permit tcp any eq www
access-list inside_access_in extended permit object-group TCPUDP host dns1 eq domain
access-list inside_access_in extended permit object-group TCPUDP host dns2 eq domain

as it stands allows anything with the first two lines so the rest of the lines are useless/non-functional.

Author Closing Comment

ID: 38839129
Thanks for the quick response

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question