CISCO ASA any Connect VPN

Posted on 2013-01-30
Last Modified: 2013-01-31
WE have a CISCO ASA 5505 router and we configure everything on it and it connects to the Internet and we configured any connect VPN but as soon as we connect a client to the VPN that clients computer looses Internet browsing capability. That person can still do remote desktop and access other featured but browsing the Internet does not work.
Question by:kajumblies
  • 3
  • 2
LVL 20

Expert Comment

ID: 38835575
You need to configure a split tunnel to tell the vpn client which subnets should go across the tunnel. Otherwise it has to assume that all traffic must go across the tunnel.
LVL 20

Accepted Solution

rauenpc earned 500 total points
ID: 38835594

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit

ip local pool VPNCLIENTPOOL mask

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL

default-domain value

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx

Author Comment

ID: 38835982
I am posting my configs for my router with this post. I also just want to make sure that the network that the cisco router is providing aka internal network can browse Internet with or without VPN enabled. However external users using SSL VPN ANY CONNECT loose browsing capabilities as soon as connection is established
LVL 20

Expert Comment

ID: 38836113
As a general thought, I would avoid using an address pool that overlap with an existing subnet. Consider changing the vpn pool to a subnet that doesn't exist in the network anywhere at the moment. This change also means you will need to add the twice nat/no nat statements.

group-policy Remote-VPN internal
group-policy Remote-VPN attributes
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Remote-VPN_splitTunnelAcl

The above group likely allows the remote user to to use the vpn tunnel as well as internet browse, but this group policy

group-policy test20 internal
group-policy test20 attributes
 vpn-tunnel-protocol svc webvpn
  url-list value Intranet
  svc mtu 1406
  svc ask enable

would not because there is no split tunnel acl specified. therefore, you end up with
tunnel all
Also, the ACL
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any eq https
access-list inside_access_in extended permit tcp any eq www
access-list inside_access_in extended permit object-group TCPUDP host dns1 eq domain
access-list inside_access_in extended permit object-group TCPUDP host dns2 eq domain

as it stands allows anything with the first two lines so the rest of the lines are useless/non-functional.

Author Closing Comment

ID: 38839129
Thanks for the quick response

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question