Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2826
Views
0
Helpful
8
Replies

Providing Internet to users via Cisco Any connect VPN (ASA 8.3+)

danbryan80
Level 1
Level 1

‎04-02-2012 01:56 PM

So I found a thread which shows how to allow VPN users to use the intenet via the VPN instead of an unsecure split tunnel.  This article seems to be written for the pre 8.3 days. 

https://supportforums.cisco.com/thread/2016000

The key points seem to be:

  • enable crypto isakmp nat-traversal
  • enable Nat U Turning

I have tried(without success):

  • changing the group policy to tunnel all traffic.
  • object network obj-vpnpool
  • subnet 192.168.0.224 255.255.255.248
  • nat (outside,outside) dynamic interface

After implementing it, I am not able to reach any resource inside mynetwork, or outside my network.

--------------------------------

Current Config Follows:

currently:

  • I can access my internal network via the VPN, as well as the internet via split-tunnel using Cisco Any Connect

I would like help to change this to allow me to:

  • access both my internal network, and the internet via the Cisco anyconnect VPN.(primary goal)
  • Clean up any VPN config settings unrelated to Cisco Anyconnect.(secondary goal)
  • Clean up anything else that looks sloppy (tertiary goal)

ASA Version 8.4(2)
!
hostname DANS-FW
domain-name coffee.local
enable password blah encrypted
passwd blah encrypted
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description \\LAN Connection to Switch\\
 nameif inside
 security-level 100
 ip address ASA_INSIDE 255.255.255.0
 ipv6 address autoconfig
 ipv6 enable
!
interface Vlan2
 description //OUT TO FIOS///
 nameif outside
 security-level 0
 ip address dhcp setroute
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name coffee.local
same-security-traffic permit intra-interface
object network INSIDE_LAN
 subnet 192.168.0.0 255.255.255.0
object network CAFFEINE-ICECAST
 host 192.168.0.11
object network CAFFEINE-MPD
 host 192.168.0.11
object network CAFFEINE-MPDroid-Stream
 host 192.168.0.11
object network CAFFEINE-TWONKY
 host 192.168.0.11
object network obj-192.168.0.2
 host 192.168.0.2
object network CAFFEINE-SSH
 host 192.168.0.11
object network ASA_INSIDE
 host 192.168.0.1
object network CAFFEINE-RTORRENT
 host 192.168.0.11
object network ASA-ASDM_SSLVPN
 host 192.168.0.1
object network HE_Tunnel_Broker
 host 216.66.22.2
 description HE IP
object network 6shots
 host 192.168.0.66
object network AnyConnect_VPN_USERS
 description Anyconnet VPN Range
object network ANYCONNECT_VPN_USERS
object network ANYCONNECT_VPN_POOL
object network ANYCONNECT_VPN
 subnet 192.168.0.200 255.255.255.248
object network APACHE-SSL
 host 192.168.0.11
object network NETWORK_OBJ_192.168.0.200_29
 subnet 192.168.0.200 255.255.255.248
object network MSF
 host 192.168.0.11
object network CAFFEINE-NESSUS
 host 192.168.0.11
object network EXCHANGE_SMTP(SSL)
 host 192.168.0.4
object network Dans-Desktop
 host 192.168.0.10
object network EXCHANGE_OWA
 host 192.168.0.4
object network EXCHANGE_ACTIVESYNC
 host 192.168.0.4
object network ASDM
 host 192.168.0.1
object network EXCHANGE_IMAP
 host 192.168.0.4
object network EXCHANGE_SMTP
 host 192.168.0.4
object network ESX_5_SERVER
 host 192.168.0.5
 description ESX5 Server
object network MEDIA_2K8
 host 192.168.0.6
 description MEDIA SERVER
object network RRAS
 host 192.168.0.4
object-group network obj-192.168.0.0
object-group protocol IPv6inIPv4
 protocol-object 41
object-group service Icecast tcp
 port-object eq 8000
object-group service rtorrent-webUI tcp
 port-object eq 8011
object-group service metasploit_range tcp
 port-object range 4444 4454
object-group service L2TP_over_IPSec udp
 port-object eq 1701
 port-object eq 4500
 port-object eq isakmp
access-list outside_access_in extended permit tcp any object CAFFEINE-RTORRENT object-group rtorrent-webUI
access-list outside_access_in extended permit tcp any object CAFFEINE-SSH eq ssh
access-list outside_access_in extended permit tcp any object CAFFEINE-ICECAST object-group Icecast
access-list outside_access_in extended permit tcp any object ASDM eq 8080
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit host 192.168.0.200
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list PERMIT_IPV6 extended permit ip 192.168.0.0 255.255.255.0 object ANYCONNECT_VPN
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit 41 any any
access-list inside_access_in_1 extended permit 41 any any
access-list inside_access_in_1 extended permit ip any any
access-list global_access extended permit icmp any any echo
access-list global_access extended permit icmp any any echo-reply
access-list global_access extended deny ip object ESX_5_SERVER any
access-list global_access extended permit ip 192.168.0.0 255.255.255.0 any
access-list global_access extended permit tcp any object MSF object-group metasploit_range
access-list global_access extended permit tcp any object MEDIA_2K8 eq 64620
access-list global_access extended permit tcp any object EXCHANGE_ACTIVESYNC eq www
access-list global_access extended permit tcp any object EXCHANGE_OWA eq https
access-list global_access extended permit tcp any object EXCHANGE_SMTP(SSL) eq 587
access-list global_access extended permit tcp any object CAFFEINE-RTORRENT object-group rtorrent-webUI
access-list global_access extended permit tcp any object CAFFEINE-SSH eq ssh
access-list global_access extended permit tcp any object APACHE-SSL eq 8443
access-list global_access extended permit tcp any object ASA-ASDM_SSLVPN eq www
access-list global_access extended permit tcp any object CAFFEINE-NESSUS eq 8834
access-list global_access extended permit tcp any object EXCHANGE_IMAP eq 993
access-list global_access extended permit tcp any object EXCHANGE_SMTP eq smtp
access-list global_access extended permit tcp any object RRAS eq pptp
access-list global_access extended permit udp any object RRAS object-group L2TP_over_IPSec
access-list global_access extended permit gre any object RRAS
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
logging from-address asa@coffee.no-ip.info
mtu inside 1500
mtu outside 1500
ip local pool VPN 192.168.0.200-192.168.0.205 mask 255.255.255.0
ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo
ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo-reply
ipv6 access-list global_access_ipv6 permit tcp any any eq ssh inactive
ipv6 access-list global_access_ipv6 permit tcp any any eq https inactive
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static ANYCONNECT_VPN ANYCONNECT_VPN
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.200_29 NETWORK_OBJ_192.168.0.200_29
!
object network INSIDE_LAN
 nat (inside,outside) dynamic interface
object network CAFFEINE-SSH
 nat (inside,outside) static interface service tcp ssh ssh
object network CAFFEINE-RTORRENT
 nat (inside,outside) static interface service tcp 8011 8011
object network APACHE-SSL
 nat (inside,outside) static interface service tcp 8443 8443
object network MSF
 nat (inside,outside) static interface service tcp 4444 4444
object network CAFFEINE-NESSUS
 nat (inside,outside) static interface service tcp 8834 8834
object network EXCHANGE_SMTP(SSL)
 nat (inside,outside) static interface service tcp 587 587
object network EXCHANGE_OWA
 nat (inside,outside) static interface service tcp https https
object network EXCHANGE_ACTIVESYNC
 nat (inside,outside) static interface service tcp www www
object network EXCHANGE_IMAP
nat (inside,outside) static interface service tcp 993 993
object network EXCHANGE_SMTP
 nat (inside,outside) static interface service tcp smtp smtp
object network MEDIA_2K8
 nat (inside,outside) static interface service tcp 64620 64620
object network RRAS
 nat (inside,outside) static interface service tcp pptp pptp
access-group PERMIT_IPV6 in interface outside
access-group outside_access_ipv6_in in interface outside
access-group global_access global
access-group global_access_ipv6 global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn DANS-FW
 subject-name CN=DANS-FW
 keypair sslvpnkey
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 184b464e
    308201cb 30820134 a0030201 02020418 4b464e30 0d06092a 864886f7 0d010104
    0500302a 3110300e 06035504 03130744 414e532d 46573116 30140609 2a864886
    f70d0109 02160744 414e532d 4657301e 170d3131 30383133 30393539 35325a17
    0d323130 38313030 39353935 325a302a 3110300e 06035504 03130744 414e532d
    46573116 30140609 2a864886 f70d0109 02160744 414e532d 46573081 9f300d06
    092a8648 86f70d01 01010500 03818d00 30818902 818100ae 53e7e59e add0bfc1
    10013a1f 9d15be8e 3f5c63dd fa0c4ff7 87b19e5d 2180d901 9a637859 9d275561
    c0f0a362 a6347ae8 593d3d40 1be35bd7 95534670 f25ed53f ee877752 28074c86
    fa5457dd f0db3518 fdfa0155 28422e37 1d4d8d6b 496f8b78 f3bc97d7 5a7e87b5
    73627862 57e6b22c 5fdf437f f388eeee 1aca4991 b2d7a702 03010001 300d0609
    2a864886 f70d0101 04050003 81810096 baa4e96e ba0991bb 65550537 777cf341
    74f7b17b 4a446fc0 11e0c9a7 b235b2a2 ad6749fa d43a2329 4cecd850 6d3000e5
    d41c5e0f a2a12efe b77d373e 51ed8c76 6d0fb7da 0b72d714 1b6692ee 7f3dcfb7
    43f70596 af7e1139 7f8725a0 18a64a69 a49122fa 6fc85c0e 3a3fb658 7146aa09
    93b731ea 047ab713 74de300f c68599
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0

dhcpd auto_config outside
!
dhcpd dns 129.250.35.250 129.250.35.251 interface inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 port 8080
 enable outside
 anyconnect image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
 anyconnect profiles coffee_anyconnect_client_profile disk0:/coffee_anyconnect_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_coffee_anyconnect internal
group-policy GroupPolicy_coffee_anyconnect attributes
 wins-server none
 dns-server value 192.168.0.25 4.2.2.2
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value securesub
webvpn
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect profiles value coffee_anyconnect_client_profile type user
group-policy coffee_clientless internal
group-policy coffee_clientless attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value dans
  anyconnect ask none default anyconnect
username dano password blah encrypted privilege 15
tunnel-group coffee_anyconnect type remote-access
tunnel-group coffee_anyconnect general-attributes
 address-pool VPN
 default-group-policy GroupPolicy_coffee_anyconnect
tunnel-group coffee_anyconnect webvpn-attributes
 group-alias coffee_anyconnect disable
 group-alias securesub enable
tunnel-group coffee_clientless type remote-access
tunnel-group coffee_clientless general-attributes
 default-group-policy coffee_clientless
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map FTPPOLICY
 class inspection_default
  inspect ftp
policy-map global-policy
 class global-class
  inspect esmtp
  inspect pptp
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:72515fc971787d2e0a9ddc7356843515
Labels:
0 Helpful
8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

‎04-02-2012 02:19 PM

Hi,

So your current situation is that you are using AnyConnect with Split-tunneling? So you can access the LAN through VPN and Internet through the users local Internet connection?

I wonder if the problem with Full-Tunnel + Internet traffic is due to problem with NATing the traffic from VPN Client pool to the "outside" interface IP?

I think that NAT could be done by the following configuration

object network VPN-POOL

subnet 192.168.0.200 255.255.255.248

nat (outside,outside) after-auto source dynamic VPN-POOL interface

EDIT: The "after-auto" should take the rule at the bottom of the NAT rules, but I'm still thinking should it interfere with the configurations even if it didnt have the parameter.

I've only done this in software 8.2 and below, where it was

global (outside) 1 x.x.x.x

nat (inside) 1 10.10.10.0 255.255.255.0

nat (outside) 1 192.168.0.200 255.255.255.248

But as I said I havent done this with the new software. I can probably test this tomorrow at work though.

- Jouni

EDIT2:

I'm not 100% sure but is the following NAT statement even needed at the current configuration?

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.200_29 NETWORK_OBJ_192.168.0.200_29

EDIT3:

I also usually use a totally different network for the VPN-pool. Your current LAN seems to be 192.168.0.0/24 and the VPN pool is 192.168.0.200/29. Maybe the top NAT statements are causing problems with the VPN Client Internet traffic.

What I would try to do is change the VPN Client pool to some different network, do the NAT0 between LAN and POOL like you have in the current configuration (just with new VPN Pool) and use the PAT configuration mentioned earlier. Leave out the NAT statement in the "EDIT2" in this post.

Sorry this is alot of guessing from my part before I get to test it myself with a lab ASA.

0 Helpful

danbryan80
Level 1
Level 1
In response to Jouni Forss

‎04-02-2012 02:30 PM

I would like to try your suggestion.  I was curious to why you chose "subnet 192.168.0.200 255.255.255.248"  my VPN pool is:

ip local pool VPN 192.168.0.200-192.168.0.205 mask 255.255.255.0

Maybe I should change my VPN pool to a unique subnet. I wouldnt mind having all VPNs be: 192.168.200.0/24 Im just not sure how to route that properly.  Also, Will I need to go back into group policy settings and tell it to tunnel all traffic instead of the traffic identified by split-tunnel ACL?



access-list split-tunnel standard permit host 192.168.0.200 access-list split-tunnel standard permit 192.168.0.0 255.255.255.0 
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to danbryan80

‎04-02-2012 02:34 PM

Hi,

Edited my original post as I was thinking about the situation.

Still alot of guessing on my part before I can confirm it on a lab setup, which I might do tomorrow even.

0 Helpful

danbryan80
Level 1
Level 1
In response to Jouni Forss

‎04-02-2012 02:37 PM

I would be very greatfull if you decided to load it up in your lab. 

0 Helpful

danbryan80
Level 1
Level 1
In response to Jouni Forss

‎04-02-2012 02:35 PM

I've had  a lot of people helpme with my ASA over this years.  I am sure i have some residual commands in there which I no longer need.  Im just not sure which ones they are.  I dont think I need that line you mentioned.  Looks a bit like the VPN wizzard syntax.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to danbryan80

‎04-02-2012 02:48 PM

I have an ASA at home also but don't have any VPN configurations on it. Could maybe do that from work tomorrow and test it from the work computer.

I tried a couple of NAT configurations and it seemed the following NAT statement overran the VPN Client pool Internet PAT configuration

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.200_29 NETWORK_OBJ_192.168.0.200_29

I guess the source fields "any any" causes the problem. I think it forwards all the VPN clients connections to your inside interface because of the "(inside,outside)" and "any any" in the statement.

Even though I have used the new software for 6-12 months I still havent really gotten used to the new NAT.

Still want to test this with an actual VPN Client connection.

- Jouni

0 Helpful

danbryan80
Level 1
Level 1
In response to Jouni Forss

‎04-02-2012 03:07 PM

Thanks!, Its a Success,

Adding the following commands to the ^config made it tunnel all internet traffic through the VPN

object network VPN-POOL

subnet 192.168.0.200 255.255.255.248

nat (outside,outside) after-auto source dynamic VPN-POOL interface

group-policy GroupPolicy_coffee_anyconnect attributes

no split-tunnel-network-list

no nat 2

I would still like your help with my other goals if your willing.  If i wanted to switch my VPN over to its own subnet, all I would have to do is something like:

Create a new pool:

ip local pool SECURESUB_VPN_USERS 192.168.200.2-192.168.200.254 mask 255.255.255.0

Modify the tunnel attributes:

tunnel-group coffee_anyconnect general-attributes

address-pool  SECURESUB_VPN_USERS

And setup Routing somehow:

route inside 192.168.200.0 255.255.255.255 192.168.200.1 1

????? command to create a 192.168.200.1 interface on vlan1?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to danbryan80

‎04-02-2012 03:16 PM

Hi,

Usually when you configure either L2L VPN with remote sites/networks OR VPN Client with remote Pool the VPN creates a route to your ASAs routing table. So when theres a VPN connected the ASA can see the new pool in its routing table already.

If it for some reason doesnt show even when VPN Client is connected, you can use a command to insert the route to your routing table

Command format is something along the lines:

"crypto map set reverse-route"

This will inject a route to your routing table according to your VPN configurations.

When you have a client connection check the ASAs routing table with "show route" and you should see your VPN pool pointing towards outside interface.

If you have router on the LAN, just make sure it has a return route to the VPN pool network. But I assume you already have a default route pointing towards ASA inside interface, so that should be taken care of already

Please rate if any of this has been helpfull

Over 1 at night here so I'm gonna go sleep now. I look into this tomorrow at work or after work at home (if theres need).

- Jouni

0 Helpful
Customers Also Viewed These Support Documents