Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Anyconnect on ASA cannot reach Servers on Lan

I have an ASA 5510  I can successfully create a  anyconnect ssl client VPN tunnel and can succesfully ping a server on the Voice vlan. However I need to make connections to the voice servers, but they just timeout. On the ASA logging, is says "connection denied as there is no syn in the packet"

from looking around the web People are suggesting this error means an asymmetric route. I don't believe I have this. My setup is

 

VPN -> ASA -> Router (192.168.8.0,network doing all the routing) -> Vlans 5 and 6 created on switches.

I have attached my running config, they are not the actual ip addresses but representations.

I am hoping it is something obvious that I have overlooked.

ASA version is 9.1

 

 

6 REPLIES
Silver

Can you do me a favor and get

Can you do me a favor and get me if possible logs from the ASA when you try to establish communication. On ASDM need to enable logging at debugging level and then go to monitoring > logging > Real time log viewer and filter out the anyconnect address.

You can also setup capture through capture wizard, just select the local interface and specify anyconnect client address and destination IP.

Value our effort and rate the assistance!
Silver

Please mark your ticket as

Please mark your ticket as answered so that it does not show as active.

Value our effort and rate the assistance!
New Member

Upon taking a quick look it

Upon taking a quick look it looks like you are missing your twice NAT entries.

 

ex.

object network 192.168.3.0-24

subnet 192.168.3.0 255.255.255.0

 

object network 2.2.2.0-24

subnet 2.2.2.0 255.255.255.0

 

nat (voice,outside) source static 192.168.3.0-24 192.168.3.0-24 destination static 2.2.2.0-24  2.2.2.0-24 no-proxy-arp route-lookup

New Member

I had neglected to mention, I

I had neglected to mention, I am not using Nat, The ASA is for VPN's only

New Member

Ok, am I understanding this

Ok, am I understanding this correctly that when you connect you can ping the voice servers no problem however for example you cannot create a http or some other service connection to them?

New Member

Hi Kevin,I have managed to

Hi Kevin,

I have managed to sort it out. it was asymmetric routing, that was the issue. after doing TCP inspect bypass, it has all worked fine

172
Views
0
Helpful
6
Replies
CreatePlease to create content