exsasan
asked on
ASA 5505 - VPN user can not access Internet.
Hi there,
I setup AnyConnect and can access the local network with no problem but after that I can not access the Internet.
How can I let VPN users access Internet? Is there anyway other than split tunneling?
Please let me know.
Thanks
My ASA 5505 configuration:
Software Version 8.2(5)
Device Manager Version 7.5(1)
ASA.txt
I setup AnyConnect and can access the local network with no problem but after that I can not access the Internet.
How can I let VPN users access Internet? Is there anyway other than split tunneling?
Please let me know.
Thanks
My ASA 5505 configuration:
Software Version 8.2(5)
Device Manager Version 7.5(1)
ASA.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Jan Bacher
Are you permitting your VPN pool to NAT?
ASKER
Thanks guys.
Max: I was trying to avoid the Tunneling if there is an easier way. (This is a working firewall and I try to minimum the changes if possible)
Jan: I just used the wizard to setup the AnyConnect and it worked except the Internet, I didn't add any commands (I'm not good with commands)
Somebody suggested following, do you think it works:
nat (outside) 1 192.168.2.0 255.255.255.0
https://supportforums.cisco.com/discussion/12451646/asa-5505-anyconnect-vpn-users-cant-access-internet
Thanks
Max: I was trying to avoid the Tunneling if there is an easier way. (This is a working firewall and I try to minimum the changes if possible)
Jan: I just used the wizard to setup the AnyConnect and it worked except the Internet, I didn't add any commands (I'm not good with commands)
Somebody suggested following, do you think it works:
nat (outside) 1 192.168.2.0 255.255.255.0
https://supportforums.cisco.com/discussion/12451646/asa-5505-anyconnect-vpn-users-cant-access-internet
Thanks
Hi,
what i suggested above is risk free ... do not worry
you can test it to new vpn connections.
Then you have a bad configuration on NAT:
nat (inside) 101 0.0.0.0 0.0.0.0
which i'd change, .... but let's try and resolve vpn problem before
hope this helps
max
what i suggested above is risk free ... do not worry
you can test it to new vpn connections.
Then you have a bad configuration on NAT:
nat (inside) 101 0.0.0.0 0.0.0.0
which i'd change, .... but let's try and resolve vpn problem before
hope this helps
max
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello Jan,
please note that NAT is already exempted in the configuration:
nat (inside) 0 access-list inside_nat0_outbound
max
please note that NAT is already exempted in the configuration:
nat (inside) 0 access-list inside_nat0_outbound
max
Max, the VPN IP is bound by the outside interface and therefore the inside NAT for traffic originating from the VPN also needs a nonat.
yep, in fact ... here is it:
max
nat (inside) 0 access-list inside_nat0_outboundcheers
max
That's for traffic originating from the inside interface Max. The VPN nat will originate from the outside interface.
which is none of firewall's business ... it just needs to exempt NAT getting back from inside to outside ... and it is already sitting there in configuration.
457 firewall configurations of mine happily work this way !
cheers
max
457 firewall configurations of mine happily work this way !
cheers
max
ASKER
Hi Jan,
I tried your configuration and still the VPN traffic can not go to Internet , can you please have a look to the new configuration I included the file.
Thanks
asa-2017-06-30.txt
I tried your configuration and still the VPN traffic can not go to Internet , can you please have a look to the new configuration I included the file.
Thanks
asa-2017-06-30.txt
I could be under caffeinated but I don't see the new attachment.
ASKER
Hi Max,
Now I tried to use your commands I get an error when running the first line:
access-list splittunnel extended permit ip 172.22.0.1 255.255.252.0
ERROR: % Incomplete command
any idea?
Thanks
Now I tried to use your commands I get an error when running the first line:
access-list splittunnel extended permit ip 172.22.0.1 255.255.252.0
ERROR: % Incomplete command
any idea?
Thanks
ASKER
Jan the attachment is there but I attach it again.
asa-2017-06-30.txt
asa-2017-06-30.txt
try and add
any
max
any
max
Add this:
same-security permit intra-interface
same-security permit intra-interface
ASKER
Jen, I added that, didn't work? Now I realize I can not access even the local network. I don't say it happened exactly after adding that. Last night after I tried yours and didn't work I removed the commands I might remove something by mistake. I included the current config now.
asa-2017-06-30-2.txt
asa-2017-06-30-2.txt
These are the relevant differences (there are others but they don't matter).
The "<" is a line in the original. The line number appears first.
The ">" is a line in the latest. The line number appears first.
This will show you what is in one that is not in the other and vice versa.
For example, in the latest on line 48, you have the same-security statement.
Line 58, the acl statements are different.
I have not performed an eyeball comparison. But this should help.
48a48
> same-security-traffic permit intra-interface
58c58
< access-list inside_nat0_outbound extended permit ip 172.22.0.0 255.255.252.0 AnyConnect-Pool-10 255.255.255.0
---
> access-list vpn_nat_exempt extended permit ip AnyConnect-Pool-10 255.255.255.0 172.22.0.0 255.255.252.0
74d73
< nat (inside) 0 access-list inside_nat0_outbound
76c75,77
< static (inside,outside) tcp interface 33990 SRa-PC-200 3389 netmask 255.255.255.255
---
> nat (outside) 0 access-list vpn_nat_exempt
> nat (outside) 1 AnyConnect-Pool-10 255.255.255.0
> static (inside,outside) tcp interface 33990 SRaisdana-PC-200 3389 netmask 255.255.255.255
80c81
< static (inside,outside) tcp interface 33992 Ho-Mini-Dell 3389 netmask 255.255.255.255
---
> static (inside,outside) tcp interface 33992 HoFa-Mini-Dell 3389 netmask 255.255.255.255
116a118
> split-tunnel-policy tunnelspecified
119a122,123
> username sraisdana attributes
> vpn-group-policy DfltGrpPolicy
122a127,129
> username user1 password 8ogBCnh/EJtsXvgp encrypted
> username user1 attributes
> service-type remote-access
The "<" is a line in the original. The line number appears first.
The ">" is a line in the latest. The line number appears first.
This will show you what is in one that is not in the other and vice versa.
For example, in the latest on line 48, you have the same-security statement.
Line 58, the acl statements are different.
I have not performed an eyeball comparison. But this should help.
48a48
> same-security-traffic permit intra-interface
58c58
< access-list inside_nat0_outbound extended permit ip 172.22.0.0 255.255.252.0 AnyConnect-Pool-10 255.255.255.0
---
> access-list vpn_nat_exempt extended permit ip AnyConnect-Pool-10 255.255.255.0 172.22.0.0 255.255.252.0
74d73
< nat (inside) 0 access-list inside_nat0_outbound
76c75,77
< static (inside,outside) tcp interface 33990 SRa-PC-200 3389 netmask 255.255.255.255
---
> nat (outside) 0 access-list vpn_nat_exempt
> nat (outside) 1 AnyConnect-Pool-10 255.255.255.0
> static (inside,outside) tcp interface 33990 SRaisdana-PC-200 3389 netmask 255.255.255.255
80c81
< static (inside,outside) tcp interface 33992 Ho-Mini-Dell 3389 netmask 255.255.255.255
---
> static (inside,outside) tcp interface 33992 HoFa-Mini-Dell 3389 netmask 255.255.255.255
116a118
> split-tunnel-policy tunnelspecified
119a122,123
> username sraisdana attributes
> vpn-group-policy DfltGrpPolicy
122a127,129
> username user1 password 8ogBCnh/EJtsXvgp encrypted
> username user1 attributes
> service-type remote-access
ASKER
I know it sounds like a stupid question but how can I remove a command? or can I run the whole first configuration in the Command line Interface? and replace the new configuration?
config t
no <command>
no <command>
ASKER
Thank Jan and Max.
After spending some time find out my configuration is too messy to make it work. I ended up going to a configuration before setting up the AnyConnect and follow this path to make it work:
Working Setup:
Setup the Any-connect using the Wizard → Connection Worked
To allow Local Network access:
Add one NAT
- NAT Excempt
- Interface: Inside
- Source : Local Network
- Destination: AnyConnect-Pool-xx/24
To allow internet access:
- Setup Split tunneling:
- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html
After spending some time find out my configuration is too messy to make it work. I ended up going to a configuration before setting up the AnyConnect and follow this path to make it work:
Working Setup:
Setup the Any-connect using the Wizard → Connection Worked
To allow Local Network access:
Add one NAT
- NAT Excempt
- Interface: Inside
- Source : Local Network
- Destination: AnyConnect-Pool-xx/24
To allow internet access:
- Setup Split tunneling:
- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html