×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AnyConnect users cannot access internet

Unanswered Question
Mar 16th, 2012
User Badges:

When AnyConnect users try to connect to the internet it will not let them out.  I've included a copy of my config below.  Also, I have a 5505 with base license but the AnyConnect for mobile is disabled.  I got what seems to be a demo license from Cisco for 91 days.  I thought that the base license came with AnyConnect for 2 devices.  Why is the AnyConnect for mobile disabled by default?


ASA Version 8.4(2)

!

hostname ASA5505

domain-name <removed>

enable password <removed>

passwd <removed>

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6



!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

banner motd

banner motd +...................................................-+

banner motd |                                                    |

banner motd |   *** Unauthorized Use or Access Prohibited ***    |

banner motd |                                                    |

banner motd |        For Authorized Official Use Only            |

banner motd | You must have explicit permission to access or     |

banner motd | configure this device. All activities performed    |

banner motd | on this device will be logged, and violations of   |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities.    |



banner motd |                                                    |

banner motd |   There is no right to privacy on this device.     |

banner motd |                                                    |

banner motd +...................................................-+

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 68.105.28.12

name-server 68.105.29.12

domain-name ok.cox.net

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network INSIDE-HOSTS

subnet 10.10.10.0 255.255.255.0

object network AnyConnect-INET

subnet 192.168.10.0 255.255.255.0

access-list Internet_IN extended permit icmp any interface outside echo-reply

access-list Internet_IN extended permit icmp any interface outside

pager lines 24

logging enable

logging timestamp



logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply inside

icmp permit any echo-reply outside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic AnyConnect-INET interface

!

object network INSIDE-HOSTS

nat (inside,outside) dynamic interface

access-group Internet_IN in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.10.10.0 255.255.255.0 inside

ssh timeout 5

console timeout 0



dhcpd auto_config outside

dhcpd update dns both



!

dhcpd address 10.10.10.25-10.10.10.50 inside

dhcpd dns 68.105.28.12 68.105.29.12 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy "Client Group" internal

group-policy "Client Group" attributes

wins-server none

dns-server value <removed>

vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless

split-tunnel-policy tunnelall

default-domain value <removed>

split-dns value <removed>

webvpn

  anyconnect ssl rekey time none

  anyconnect ssl rekey method ssl

anyconnect ask none default anyconnect

username <removed> password <removed> privilege 15

username <removed> attributes

webvpn

  anyconnect ask none default anyconnect

username <removed> password <removed> privilege 15

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

address-pool vpnpool

default-group-policy "Client Group"

tunnel-group TunnelGroup1 webvpn-attributes

group-alias ssl_group_users enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:943c1846a54a525f95905e6ebe313048

: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ewood2624 Fri, 03/16/2012 - 23:42
User Badges:

I found part of my problem.  There wasn't nat (outside,outside) dynamic interface applyed to the AnyConnect object network.  The other half of my question is still a mystery.  How come the AnyConnect for Mobile is off by default on a base license when it's supposed to come with 2 AnyConnect mobile licenses installed?

Actions

This Discussion