CISCO ASA any Connect VPN

Posted on 2013-01-30
Last Modified: 2013-01-31
WE have a CISCO ASA 5505 router and we configure everything on it and it connects to the Internet and we configured any connect VPN but as soon as we connect a client to the VPN that clients computer looses Internet browsing capability. That person can still do remote desktop and access other featured but browsing the Internet does not work.
Question by:kajumblies
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 20

Expert Comment

ID: 38835575
You need to configure a split tunnel to tell the vpn client which subnets should go across the tunnel. Otherwise it has to assume that all traffic must go across the tunnel.
LVL 20

Accepted Solution

rauenpc earned 500 total points
ID: 38835594

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit

ip local pool VPNCLIENTPOOL mask

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL

default-domain value

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx

Author Comment

ID: 38835982
I am posting my configs for my router with this post. I also just want to make sure that the network that the cisco router is providing aka internal network can browse Internet with or without VPN enabled. However external users using SSL VPN ANY CONNECT loose browsing capabilities as soon as connection is established
LVL 20

Expert Comment

ID: 38836113
As a general thought, I would avoid using an address pool that overlap with an existing subnet. Consider changing the vpn pool to a subnet that doesn't exist in the network anywhere at the moment. This change also means you will need to add the twice nat/no nat statements.

group-policy Remote-VPN internal
group-policy Remote-VPN attributes
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Remote-VPN_splitTunnelAcl

The above group likely allows the remote user to to use the vpn tunnel as well as internet browse, but this group policy

group-policy test20 internal
group-policy test20 attributes
 vpn-tunnel-protocol svc webvpn
  url-list value Intranet
  svc mtu 1406
  svc ask enable

would not because there is no split tunnel acl specified. therefore, you end up with
tunnel all
Also, the ACL
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any eq https
access-list inside_access_in extended permit tcp any eq www
access-list inside_access_in extended permit object-group TCPUDP host dns1 eq domain
access-list inside_access_in extended permit object-group TCPUDP host dns2 eq domain

as it stands allows anything with the first two lines so the rest of the lines are useless/non-functional.

Author Closing Comment

ID: 38839129
Thanks for the quick response

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question