ASA VPN Access to Internal Network

Answered Question
May 19th, 2011
User Badges:

We have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a address from the pool, but cannot access anything on the internal network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?

Correct Answer by Yudong Wu about 6 years 1 month ago

Good, glad I can help here.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Yudong Wu Thu, 05/19/2011 - 12:55
User Badges:
  • Gold, 750 points or more

Can you post your configuration?

In general, it is caused by mis-config on NAT or routing.

pootboy69 Thu, 05/19/2011 - 13:01
User Badges:

I'd rather not as this is quite a large configuration and I don't have time to change the publid IP addresses. You have the networks listed above and can use "inside" and "outside" for the interfaces. Can you just give me the "short answer", such as: the access rule should be xxx, the NAT ecemption should be yyy, and the routeing should be zzz. I'd really appreciate that as it would expand my understanding of this product. Thanx!

Yudong Wu Thu, 05/19/2011 - 13:09
User Badges:
  • Gold, 750 points or more

For nat bypass, it should look like the following

access-list nonat permit ip

nat (inside) 0 access-list nonat

You don't need permit this VPN traffic on outside interface since VPN traffic bypass interface ACL check automatically.

When vpn client is connected to ASA, a static route should be added automatically in routing table. But you need make sure the internal host should forward the traffic to vpn client 10.10.10.x to the ASA.

pootboy69 Thu, 05/19/2011 - 13:53
User Badges:

OK, I understand (and have implemented) the access-list and the nat statements. By "But you need make sure the internal host should forward the traffic to vpn client 10.10.10.x to the ASA", I'm assuming that you mean that the default gateway for internal hosts should be the IP of the inside interface - and it is. I still can't get the VPN client to connect to an internal host, however. Any suggestions? Thanx!

Yudong Wu Thu, 05/19/2011 - 14:03
User Badges:
  • Gold, 750 points or more

Ok, do a packet capture on the inside interface,

access-list capin permit ip host 10.10.10.x host 10.10.20.x

access-list capin permit ip host 10.10.20.x host 10.10.10.x

capture in access-list capin interface inside

then initiate the traffic from client to server, and use "show capture capin" to see if you can see the traffic in both directions.

By the way, is there any FW on your server which might block the access from vpn client?

pootboy69 Fri, 05/20/2011 - 07:15
User Badges:

I set up and looked at the captures and only saw inbound traffic from the client. That will cause the issue, but what do I need to do to allow the VPN address pool access to the internal network? There is no firewall on the client nor on the server.

   1: 09:10:47.606490 > icmp: echo request
   2: 09:10:53.053982 > icmp: echo request
   3: 09:10:58.543154 > icmp: echo request
   4: 09:11:04.045407 > icmp: echo request

As I'm working with a test ASA, using a different IP for the inside interface, I will try to configure a device on the inside network with a default gateway of the test ASA to see if that works. If that works, then I can set up the production ASA the same way as all devices use that inside IP as their default gateway.

pootboy69 Fri, 05/20/2011 - 07:28
User Badges:

Eureka! I set up an internal machine with the default gateway of the test ASA and it worked - that was really dumb of me not to remember that the internal devices do not know the test ASA's IP to use as a default gateway! Thanx for all your help - it rerranged my thinking.

   1: 09:23:07.826876 > icmp: echo request
   2: 09:23:07.827914 > icmp: echo reply
   3: 09:23:08.875687 > icmp: echo request
   4: 09:23:08.876663 > icmp: echo reply
   5: 09:23:09.850419 > icmp: echo request
   6: 09:23:09.851365 > icmp: echo reply
   7: 09:23:10.836626 > icmp: echo request
   8: 09:23:10.837511 > icmp: echo reply

Correct Answer
Yudong Wu Fri, 05/20/2011 - 07:34
User Badges:
  • Gold, 750 points or more

Good, glad I can help here.


This Discussion