cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3162
Views
0
Helpful
6
Replies

Anyconnect - Can't access internal resources

Terry
Level 1
Level 1

Hi

I've configured SSL VPN access to my ASA 5510 (using the anyconnect client). I can establish the tunnel to ASA without any problems, but can't access any devices on the internal network. I've check all the normal issues like no nat and split tunnel ACL's, but they all look good to me.

Please find the config attached, I would be most grateful if someone could point me in the right direction.

Kind Regards

Terry

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

The split tunnel ACL should be standard ACL instead of extended ACL.

The split tunnel behaviour changes since ASA version 7.x onwards.

It should be as follows:

access-list SSL_Anyconnect_Split standard permit 192.168.1.0 255.255.255.0

If you were testing with ping, you might also want to add the following:

policy-map global_policy

class inspection_default

     inspect icmp

Everything else looks good. Hope that helps.

Hi, thanks for your response, but unfortunately I'm still seeing the same issue.

One thing to mention is that when the end client is connected and I issue the ipconfig /all command, I don't see a default gateway listed for the anyconnect client - does this sound right?

Regards

Terry

Can you please enable the following:

management-access inside

And see if you can ping the ASA inside interface (192.168.1.254).

Please also share the output of "show vpn-sessiondb svc"

Yes, I could ping the inside IP (192.168.1.254) after adding the 'management-access inside' command.

Please find the 'show vpn-sessiondb svc' output attached.

Regards

Terry

Just rechecking the ASA configuration, you don't seem to have default route configured, or you have removed it from the config?

Further to that, what ip address are you trying to access? and how are you testing the connectivity? ping? RDP? telnet? or others?

If you are trying to ping an internal host, is the internal host default gateway the ASA inside interface?

Lastly, check if disabling the firewall on the host as sometimes it won't accept inbound connection from different subnets.

Hi

I was running this in a lab environment using an asa and vmware server, it turned out that the problem was with the vm seup rather than the asa.

Thanks for all your help on this, you helped point me in the right direction.

Kind Regards

Terry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: