Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


CISCO ASA any Connect VPN

Posted on 2013-01-30
Medium Priority
Last Modified: 2013-01-31
WE have a CISCO ASA 5505 router and we configure everything on it and it connects to the Internet and we configured any connect VPN but as soon as we connect a client to the VPN that clients computer looses Internet browsing capability. That person can still do remote desktop and access other featured but browsing the Internet does not work.
Question by:kajumblies
  • 3
  • 2
LVL 20

Expert Comment

ID: 38835575
You need to configure a split tunnel to tell the vpn client which subnets should go across the tunnel. Otherwise it has to assume that all traffic must go across the tunnel.
LVL 20

Accepted Solution

rauenpc earned 2000 total points
ID: 38835594

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit

ip local pool VPNCLIENTPOOL mask

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL

default-domain value company.com

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx

Author Comment

ID: 38835982
I am posting my configs for my router with this post. I also just want to make sure that the network that the cisco router is providing aka internal network can browse Internet with or without VPN enabled. However external users using SSL VPN ANY CONNECT loose browsing capabilities as soon as connection is established
LVL 20

Expert Comment

ID: 38836113
As a general thought, I would avoid using an address pool that overlap with an existing subnet. Consider changing the vpn pool to a subnet that doesn't exist in the network anywhere at the moment. This change also means you will need to add the twice nat/no nat statements.

group-policy Remote-VPN internal
group-policy Remote-VPN attributes
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Remote-VPN_splitTunnelAcl

The above group likely allows the remote user to to use the vpn tunnel as well as internet browse, but this group policy

group-policy test20 internal
group-policy test20 attributes
 vpn-tunnel-protocol svc webvpn
  url-list value Intranet
  svc mtu 1406
  svc ask enable

would not because there is no split tunnel acl specified. therefore, you end up with
tunnel all
Also, the ACL
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any eq https
access-list inside_access_in extended permit tcp any eq www
access-list inside_access_in extended permit object-group TCPUDP host dns1 eq domain
access-list inside_access_in extended permit object-group TCPUDP host dns2 eq domain

as it stands allows anything with the first two lines so the rest of the lines are useless/non-functional.

Author Closing Comment

ID: 38839129
Thanks for the quick response

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question