We are trying to ensure that our remote access laptops cannot connect to network resources if they are on an Untrusted Network. They should only be allowed to connect to the ASA VPN.
We have all the authentication and group policies working, and can see that the policies are being sent by the ASA.
We have the following selected in the policy:
Automatic VPN Policy - Selected
Trusted Network Policy: Disconnect
Untrusted Network Policy: Connect
Trusted DNS Domains: aaaaa.local,bbbbb.local
Trusted DNS Servers: <dns1>,<dns2>,<dns3>,<dns4>,<dns5>
Always On - Selected
Allow VPN Disconnect: Selected
Connect Failure Policy: Closed
Allow Captive Portal Remediation: Unselected
Apply Last VPN Local Resource Rules: Unselected
I do have a server in the server list.
At the moment when i connect to the Internet (Untrusted) the policy appears to work fine, in that it wont allow me to connect to any local resource i.e web url, or ping the gateway. The ony thing i can do is connect to the vpn.
When however i connect it to our LAN (Trusted) the policy doesnt appear to detect that it is on a trusted network and wont allow me to connect to local resources.
The message history:
Ready to connect.
Connection attempt has failed
Unable to contact <fqdn>
Connection attempt has timed out. Please verify Internet connectivity
It may be necessary to connect via a proxy, which is not supported with Always On.
I assume the AnyConnect client should display a message if it has detected that it is on a Trusted network?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...