02-27-2014 01:00 PM
Hello all !
I'm having a funny issue that i can't seem to resolve. I have an ASA 5510 configured in routed mode (no nat). I have setup the vpn with access via software (SSL and IPSEC). in both cases the client connects fine to the vpn endpoint, and can ping the firewall. But the client (vpn,192.168.11.0) cannot connect to services or ping any inside hosts (trustedpc network, 192.168.103.0). On the opposite the inside network can ping the client just fine.
when i run a packet tracer a get a very uninformative responce :
Phase: 6
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadb82170, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=663, user_data=0x13000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.11.6, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
as mentionned, there is no nat and the the ACL is very simple :
object-group network EASYVPN_NETWORK
description VPN Network
network-object object EASYVPNV6
network-object object EASYVPN
object network EASYVPN
subnet 192.168.11.0 255.255.255.0
object-group service ICMPV4V6
service-object icmp
service-object icmp6
access-list outside_access_in extended permit object-group ICMPV4V6 any any
access-list outside_access_in extended permit ip object-group EASYVPN_NETWORK any
the ASA is running the following code :
Cisco Adaptive Security Appliance Software Version 9.1(2)
Any help is welcome.