VPN users not able to browse Internet

bvinciguerra6 · ‎05-03-2012

I'm configuring AnyConnect VPN on an ASA 5505 version 8.2(5) - Users CAN authenticate and establish a connection to the router, RDP to internal resources and resolve DNS. Split tunneling is configured (not sure if this is correct)

When a client connects to the "clientless SSL VPN Portal" they are able to browse to the initial page of a website, but can't really browse a site.

Please see config below:

======================================

:
ASA Version 8.2(5) 
!
hostname ASA5505
domain-name ProActiveDebt.Local
enable password xow7Gwuc8Clpqi9y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 72.214.13.96 ExternalGateway description Cox Cable Default Gateway
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 72.214.13.99 255.255.255.240 
!
interface Vlan5
 no nameif
 security-level 50
 ip address 172.168.2.1 255.255.255.0 
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.100
 domain-name ProActiveDebt.Local
object-group service rdp-alt tcp
 port-object eq 4000
object-group service rdp tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in remark allow people to ping our router
access-list outside_access_in extended permit icmp any interface outside 
access-list outside_access_in remark rdp access to server
access-list outside_access_in extended permit tcp any host 72.214.13.101 object-group rdp 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit object-group TCPUDP any any eq www 
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip host 192.168.1.100 192.168.100.0 255.255.255.192 
access-list LOCAL-ACCESS standard permit 192.168.1.0 255.255.255.0 
access-list Split_Tunnel_List remark Corporate network behind ASA
access-list Split_Tunnel_List standard permit any 
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 192.168.100.10-192.168.100.200 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.1.100 72.214.13.101 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ExternalGateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  http-proxy enable
  url-entry enable
aaa-server ActiveDirectory protocol radius
aaa-server ActiveDirectory (inside) host 192.168.1.100
 timeout 5
 key *****
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_SelfSignedCert
 enrollment self
 subject-name CN=ASA5505
 crl configure
crypto ca certificate chain ASDM_SelfSignedCert
 certificate 7c7a984f
    308201ef 30820158 a0030201 0202047c 7a984f30 0d06092a 864886f7 0d010105 
    0500303c 3110300e 06035504 03130741 53413535 30353128 30260609 2a864886 
    f70d0109 02161941 53413535 30352e50 726f4163 74697665 44656274 2e636f6d 
    301e170d 31323035 30313136 31303539 5a170d32 32303432 39313631 3035395a 
    303c3110 300e0603 55040313 07415341 35353035 31283026 06092a86 4886f70d 
    01090216 19415341 35353035 2e50726f 41637469 76654465 62742e63 6f6d3081 
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b8 98e9e610 
    4200a0b6 dea41780 8b261652 51ffd039 84767735 98908518 fe91477e 337d1ad1 
    18d03266 bf74d3b5 8504a676 b1def432 7e5935a5 5af52930 bc26a28a 2bbdc0c3 
    e2fa1262 ccb3be89 fb998f3b e4d54445 089dcc62 cc770625 484d5248 c0cff746 
    922d1efe 669057ea 96cfb216 c0b5ce9f e142eb09 b45d2168 cf7cc502 03010001 
    300d0609 2a864886 f70d0101 05050003 8181007c eb185d4d 743b245f 5f58f6f6 
    1773a980 abe8516b f8738720 062ce55b f47efa1c fe76d281 dce50c1d 557fe095 
    34e3f361 07c0939a a5f9d822 93b5a6fe d28131a4 c5bd2c54 c5950567 1e05335c 
    a0266110 15c54299 8f3fc64a e31e8f86 bd7a423d 0f5e31c5 74fdb0d6 84993fb9 
    e3a21c3e cf683e33 25ed5ef5 63dfc2e2 853dc7
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.100
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 192.168.1.100 interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.1.100
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value ProActiveDebt.Local
group-policy VPN_Group_Policy internal
group-policy VPN_Group_Policy attributes
 dns-server value 192.168.1.100
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value ProActiveDebt.Local
 address-pools value VPN_IP_Pool
 webvpn
  svc keep-installer installed
  svc ask none default webvpn
username bvinciguerra password LXsO1hP.z7Hb/bLF encrypted privilege 15
username fcolson password /XdEajHu4jAj384z encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN_IP_Pool
tunnel-group AnyConnect-VPN type remote-access
tunnel-group AnyConnect-VPN general-attributes
 address-pool VPN_IP_Pool
 authentication-server-group ActiveDirectory
 default-group-policy VPN_Group_Policy
 dhcp-server 192.168.1.100
tunnel-group ProactiveVPN type remote-access
tunnel-group ProactiveVPN general-attributes
 address-pool VPN_IP_Pool
 authentication-server-group ActiveDirectory LOCAL
 default-group-policy VPN_Group_Policy
 dhcp-server 192.168.1.100
tunnel-group ProactiveVPN ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:30a952bee2566621fd2dcddd1afe5856
: end
asdm location ExternalGateway 255.255.255.255 inside
asdm location 72.214.13.101 255.255.255.255 inside
no asdm history enable

Alex Pfeil · ‎05-08-2012

If you monitor a specific user connection, you can look at the ACL applied to there connection. Without looking any further, does the website have links to more than one IP address. Also, you can look at the route table on the connecting pc to see what traffic is being tunneled. One best practice is to not allow split tunneling.

Thanks

Alex

Sent from Cisco Technical Support iPhone App

bvinciguerra6 · ‎05-09-2012

Our remote VPN clients need to access a website that requires our Public IP (gateway address) for access. Split tunneling will show all remote traffic as the Gateway address.

Yes, the site has links to several IP Addresses

VPN Details

Non-secure routes = none

Secure Routes = 0.0.0.0

I will monitor the user connection and find the ACL that is blocking this action.

Thanks,

Brian Vinciguerra |VP of Technology

Audax, Inc.

Office (760) 727-4562

Cell (619) 894-0284

Fax (760) 727-4566

www.audaxcomm.net

<> Description: Description: cid:image001.jpg@01CBC2B9.0E47B5B0 <> cid:image004.jpg@01CCBFF6.7387C740