Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

AnyConnect users cannot reach inside network and ASA?

Here is the envirnoment

Firewall : ASA5510 9.1(2)

ASDM : 7.1

Firewall IP : 192.168.88.1

Office Inside network : 192.168.88.x

AnyConnect VPN : 172.16.89.x

Result #1:

Office user can

- access the Internet

- access to VPN User's computer

- access to ASA firewall

Result #2:

VPN user can

- access the inside network

- access the Internet

- cannot ping/access inside network's computer

- cannot ping/access the ASA firewall

Anybody could help where should I need to check?

Attached with the ASA configuration

Thanks in advance

Sam

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Re: AnyConnect users cannot reach inside network and ASA?

How do you test it?

For Ping you should add the ICMP-Inspection:

policy-map global_policy

class inspection_default

  inspect icmp

And what is the difference between

Result #2:

VPN user can

- access the inside network

- cannot ping/access inside network's computer

And I forgot to mention that the nat-exemption has to be inserted *above* the other nat-statements:

nat 1 (inside,outside) source ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Super Bronze

AnyConnect users cannot reach inside network and ASA?

Hi,

For management through the VPN you should probably use the "inside" interface IP address by inserting the following command

management-access inside

Then you should be able to connect to the "inside" IP address from VPN provided that the other configurations allow it.

- Jouni

6 REPLIES
VIP Purple

Re: AnyConnect users cannot reach inside network and ASA?

there is no nat-exemption for your vpn:

nat (inside,outside) source static INSIDE-88 INSIDE-88 destination static VPN-89 VPN-89 no-proxy-arp route-lookup description NAT-Exempt for VPN

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Re: AnyConnect users cannot reach inside network and ASA?

NAT added, but still the same result

VIP Purple

Re: AnyConnect users cannot reach inside network and ASA?

How do you test it?

For Ping you should add the ICMP-Inspection:

policy-map global_policy

class inspection_default

  inspect icmp

And what is the difference between

Result #2:

VPN user can

- access the inside network

- cannot ping/access inside network's computer

And I forgot to mention that the nat-exemption has to be inserted *above* the other nat-statements:

nat 1 (inside,outside) source ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Re: AnyConnect users cannot reach inside network and ASA?

Thanks Karsten~ after the NAT has been moved to the above, VPN user can ping and access the inside network's computer now,

But the ASA firewall still cannot be accessed by VPN user.

For the ICMP-inspection, seems there is no big difference between turning it ON or OFF

Super Bronze

AnyConnect users cannot reach inside network and ASA?

Hi,

For management through the VPN you should probably use the "inside" interface IP address by inserting the following command

management-access inside

Then you should be able to connect to the "inside" IP address from VPN provided that the other configurations allow it.

- Jouni

New Member

Re: AnyConnect users cannot reach inside network and ASA?

Thanks everybody!! all problems resolved !

289
Views
5
Helpful
6
Replies
CreatePlease to create content