How to make Anyconnect VPN client talk to inside network throup ASA 5505?

janetl · ‎07-23-2010

Hi,

Anyconnect VPN established OK, client got an IP 192.168.25.1, but can not ping from ASA to this IP, from client cna not ping inside IP 10.199.13.1, I am new to ASA and anyconnect, could you please tell me how to make this working?

The floowing is my configuration:

ASA Version 8.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.199.13.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.199.14.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool SSLclientpool 192.168.25.1-192.168.25.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLclientpolicy internal
group-policy SSLclientpolicy attributes
vpn-tunnel-protocol svc
address-pools value SSLclientpool
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group SSLclientprofile type remote-access
tunnel-group SSLclientprofile general-attributes
default-group-policy SSLclientpolicy
tunnel-group SSLclientprofile webvpn-attributes
group-alias SSLVPNclient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:68a7ada4e5995481ec03ee76301cc1da
: end

Thank you!

JORGE RODRIGUEZ · ‎07-23-2010

You are missing nat exempt rules , add bellow rules and have the client try again to access inside resources.

access-list nonat extended permit ip 10.199.13.0 255.255.255.0 192.168.25.0 255.255.255.0
nat (inside) 0 access-list nonat

Regards

Jorge Rodriguez

janetl · ‎07-26-2010

Thank you for the reply.

You are right, if I enable nat-control, I need the commands you recommand.

I think my problem is not a problem. The VPN client can ping the host connect to the inside network on ASA, but can not ping the inside network interface on ASA itself and from ASA can not ping VPN client IP. I think this is ASA feature, am I right?

Janet

Diego Armando Cambronero Arias · ‎07-27-2010

Did you add the IP address of the client (s) int the icmp command?

ICMP permit x.x.x.x [interface]