access-list NAT-EXEMPT extended permit ip 10.0.0.0 255.255.255.0 VPN_Clients 255.255.255.0
access-list NAT-EXEMPT extended permit ip 10.0.100.0 255.255.255.0 VPN_Clients 255.255.255.0
access-list NAT-EXEMPT extended permit ip 10.0.50.0 255.255.255.0 VPN_Clients 255.255.255.0
nat (inside) 0 access-list NAT-EXEMPT
Here is also a breakdown of my static routing.
Once I've VPN'ed in, I am unable to ping:
Client->firewall inside interface
I can ping the first SVI addresses as well as the uplink IP address on the 2811.
Ping is enabled
Still doesnt work, even when allowing ip any any for testing
Nat control IS enabled, and I've implemented an exemption (as seen at the top).
Solved! Go to Solution.
I presume that there is an error in the picture since the ASA interface IP address and the router IP address facing the ASA are the same.
Are you saying that you can ping the 10.0.0.1 and 10.0.100.1 ?
If you can then have you checked the actual hosts for software firewall / Windows firewall settings?
Might need to see the rest of the ASA configurations to determine if there is anything in the configurations that might be a problem.
Woops! The ASA interface is the .1 and the 2811 is the .2.
I can ping the the 0.1 and the 100.1 just fine!
Windows firewall/settings have been disabled and the error is still there.
Most probably you are missing the routes on the router to reach the anyconnect addresses.
If you could post the show route of the ASA and of the router.
I just want to confirm the routing on the router, as you indicate that the default route points to the ASA
Jumora--Yep! I got that part solved and I was missing the command you just identified! Now I'm thinking this is not an ASA problem..but an issue with my 2811-which appears to have inter-vlan routing issue.
I've created a separate thread here...https://supportforums.cisco.com/message/4096135#4096135
Can ping the SVI, but if I try to ping a host in a different VLAN sourcing a separate VLAN...no worky