Solved: Issues with basic VPN setup and split tunneling

Oscar Bonilla · ‎01-22-2014

I have created an SSL VPN to a CISCO ASA 8.6 running ASDM 6.6.
Im able to connect to the VPN and reach all the devices with the LAN but Im not able to browse the web. When I enable the split tunnel Im able to browse the web but then Im not able to reach any internal device.
Here is part of the show run:

object network RedInterna
subnet 150.211.101.0 255.255.255.0
description Red Interna
object network NETWORK_OBJ_10.4.1.0_28
subnet 10.4.1.0 255.255.255.240
access-list inside_access_in extended permit ip object RedInterna any
access-list VPN_INTERNET standard permit 150.211.101.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPN_POOL 10.4.1.1-10.4.1.14 mask 255.255.255.240
failover
failover lan unit secondary
failover lan interface fail-1 GigabitEthernet0/2
failover key *****
failover interface ip fail-1 10.3.1.21 255.255.255.252 standby 10.3.1.22
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.4.1.0_28 NETWORK_OBJ_10.4.1.0_28 no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 187.217.68.145 1
route inside 10.0.0.0 255.0.0.0 10.1.1.78 1
route inside 150.211.0.0 255.255.0.0 10.1.1.78 1

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_VPN_ internal
group-policy GroupPolicy_VPN_ attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value dominio.com.mx
tunnel-group VPN_ type remote-access
tunnel-group VPN_ general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_VPN_
tunnel-group VPN_ webvpn-attributes
group-alias VPN_ enable
!

I´m not sure if Im missing some small details or setup. Any help will be highly appreciated.
Thanks!!!

Jouni Forss · ‎01-22-2014

Hi,

When you are using Full Tunnel VPN (which is the default setting) you will have a couple of things that you need to configure on the ASA.

First, the ASA by default won't allow traffic to enter through an interface and then leave through that same interface. This is what essentially happens when the traffic from the VPN Client comes to the ASA and then heads out to the Internet. In your case the traffic comes through the "outside" and leaves through the "outside" interface.

You will need this command

same-security-traffic permit intra-interface

You can check if its enabled at the moment with the command

show run same-security-traffic

Second, the VPN users will need to have NAT configuration just like any LAN users behind the actual ASA. So you will essentially have to configure Dynamic PAT for traffic from "outside" to "outside"

You can accomplish that with the following configuration

object network VPN-PAT

subnet 10.4.1.0 255.255.255.240

nat (outside,outside) dynamic interface

I would imagine that this should do it for you to be able to connect to the Internet and to the LAN network when the VPN is active.

Hope this helps

Let me know how it goes.

- Jouni

View solution in original post

Jouni Forss · ‎01-22-2014

Hi,