Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Local resources with Anyconnect

I have an ASA 5505 running 9.2. I have Anyconnect working in that it establishes a connection and users can browse the Internet with split tunneling. However, they can't access internal servers, or even ping them. 

I suspect NAT but I am no expert and I have done some google-ing but most of the directions are written for a different version of IOS. 

I have attached the running config. The servers to be accessed are on the 192.168.1.x network. The VPN pool is on the 192.168.2.x network. 

Thanks. 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Yes - when you ping the

Yes - when you ping the internal network your ASA inside address (on that same network) is the source address.

When your VPN clients attempt to reach resources there, their source address is 192.168.2.x. Unless the internal network hosts either default gateway to your ASA or their internal/other router has a static route (or dynamic route if you were running a routing protocol on the ASA which you are not in this case) to get to 192.168.2.0/27 via the ASA, return traffic will not make it back to the ASA. It will instead go to their default gateway and not establish (or complete) a connection (TCP) or flow (UDP or ICMP).

7 REPLIES

Enable ASDM debugging and

Enable ASDM debugging and then you'll see if there are any issues with NAT.

Michael Please rate all helpful posts
Hall of Fame Super Silver

The ASA configuration looks

The ASA configuration looks pretty good.

Have you set the ASA as your internal hosts' default route or otherwise told their default gateway to reach the VPN pool via the ASA inside address of 192.168.1.3?

New Member

They do have another router

They do have another router on the network, but I can't log in to it right not. 

I can ping the inside network from the inside interface of the ASA. Also, in the any connect client it show no secured routes and one unsecured - the internal network 192.168.1.x

 

Thanks

Hall of Fame Super Silver

Yes - when you ping the

Yes - when you ping the internal network your ASA inside address (on that same network) is the source address.

When your VPN clients attempt to reach resources there, their source address is 192.168.2.x. Unless the internal network hosts either default gateway to your ASA or their internal/other router has a static route (or dynamic route if you were running a routing protocol on the ASA which you are not in this case) to get to 192.168.2.0/27 via the ASA, return traffic will not make it back to the ASA. It will instead go to their default gateway and not establish (or complete) a connection (TCP) or flow (UDP or ICMP).

New Member

I am going to check out their

I am going to check out their router tomorrow. But a thought occurred to me. They use 192.168.1.x for their internal network. I use that for my home and I realized I could ping 192.168.1.x addresses when connected to their VPN from home. However, they were addresses on my network, not their corporate network. 

This seems like it will be a problem for them if they also use that address scheme at home, correct?
 

Hall of Fame Super Silver

Indeed it is a problem.

Indeed it is a problem. Unless you get really fancy with NAT, you need to have unique network numbers at both ends.

New Member

That worked. Thanks

That worked. Thanks

305
Views
0
Helpful
7
Replies