Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Unable to access internet and internal Subnets over Anyconnect

 

 Hi Everyone,

 

I am using ASA ver 9.1 with anyconnect config for full tunnel access.

I am able to connect using Anyconnect fine.

I can access the inside network subnet 10.0.0.0 fine.

 

But i can not access internet websites and other network Sales which is ASA interface.

 

Internal Network is 10.0.0.x VPN pool is 10.10.10.x

Sales Network is 10.12.12.0

 

When i try to access google from PC log shows

Apr 12 2014 18:28:41: %ASA-6-302016: Teardown UDP connection 192674 for outside:10.10.10.10/54401(LOCAL\anyconnect_user) to outside:64.59.144.19/53 duration 0:02:08 bytes 180 (anyconnect_user)


when i try ping 4.2.2.2 from PC

Apr 12 2014 18:29:07: %ASA-6-302021: Teardown ICMP connection for faddr 10.10.10.10/1(LOCAL\anyconnect_user) gaddr 4.2.2.2/0 laddr 4.2.2.2/0 (anyconnect_user)

 

Regards

Mahesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Hi Mahesh,Do you have a nat

Hi Mahesh,

Do you have a nat(outside,outside) statement as is needed for hairpinning remote access VPN traffic to the Internet?

Please refer to the following thread for an example;

https://supportforums.cisco.com/discussion/11264941/asa-hairpinning-remote-vpn-users-84

You may also want to have a look at Paul Stewart's blog post on his site as he explains it nicely:

http://www.packetu.com/2013/04/02/cisco-asa-8-4-vpn-dealing-with-internet-hairpin-traffic/

Hall of Fame Super Silver

Keep in mind your VPN clients

Keep in mind your VPN clients are seen as outside addresses - even though you are assigning them a private IP address from your vpn_pool_ip.

So when your router is setup to access the Internet (outside) with the nat(inside,outside) statement you mentioned just now it will also first need a NAT exemption for the vpn_pool_ip.

We want to make sure it is at the top of the list (or at least precedes the dynamic NAT you setup already) so we would use the following statement in the configuration file:

nat (inside,outside) 1 source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static vpn_pool_ip vpn_pool_ip

 

4 REPLIES
Hall of Fame Super Silver

Hi Mahesh,Do you have a nat

Hi Mahesh,

Do you have a nat(outside,outside) statement as is needed for hairpinning remote access VPN traffic to the Internet?

Please refer to the following thread for an example;

https://supportforums.cisco.com/discussion/11264941/asa-hairpinning-remote-vpn-users-84

You may also want to have a look at Paul Stewart's blog post on his site as he explains it nicely:

http://www.packetu.com/2013/04/02/cisco-asa-8-4-vpn-dealing-with-internet-hairpin-traffic/

New Member

 Hi Marvin. After addingnat

 

Hi Marvin.

 

After adding

nat (outside,outside) source dynamic vpn_pool_ip interface

i am able to ping internet websites while connected via anyconnect.

I have Router connected to ASA over inside interface.

ASA inside interface IP is 10.0.0.1

Router IP is 10.0.0.2

While connected via VPN i can ping and ssh to 10.0.0.2 as i have NAT config

nat (inside,outside) source static inside inside destination static inside inside

Is this config right?

 

But i can not ping internet websites from Router with above config.

 

If i add below config

    nat (inside,outside) 1 source dynamic NETWORK_OBJ_10.0.0.0_24 interface

Then router can ping the internet websites but  i can not ping 10.0.0.2 IP while on VPN.

 

Best Regards

Mahesh

 

 

 

 

 

Hall of Fame Super Silver

Keep in mind your VPN clients

Keep in mind your VPN clients are seen as outside addresses - even though you are assigning them a private IP address from your vpn_pool_ip.

So when your router is setup to access the Internet (outside) with the nat(inside,outside) statement you mentioned just now it will also first need a NAT exemption for the vpn_pool_ip.

We want to make sure it is at the top of the list (or at least precedes the dynamic NAT you setup already) so we would use the following statement in the configuration file:

nat (inside,outside) 1 source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static vpn_pool_ip vpn_pool_ip

 

New Member

 It worked like Charm.Best

 

It worked like Charm.

Best Regards Sir

 

Mahesh

81
Views
0
Helpful
4
Replies
CreatePlease to create content