Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA client VPN partly connection to internal resources

I just configured Cisco Ayconnect. I can connect via Client VPN. 
My setup is a little bit differently (check the first picture of the setup).
I am using a other Firewall in front of the Cisco ASA. The ASA is only using the inside interface and is only used for Client VPN. See the first picture which illustrates the setup.
The Client VPN ip pool ist -
The Firewall has the IP and is the Gateway of the network.
My test VPN Client has the IP and can ping the and google
But I can't ping the other internal Servers like or
I am pinging, and at the same time.
But on the Firewall I can only see traffic:


# tcpdump src net and dst net -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:06:10.315471 IP > ICMP echo request, id 1, seq 40671, length 40
16:06:11.090489 IP > ICMP echo request, id 1, seq 40675, length 40
16:06:12.150490 IP > ICMP echo request, id 1, seq 40678, length 40
16:06:13.651232 IP > ICMP echo request, id 1, seq 40680, length 40
16:06:14.156077 IP > ICMP echo request, id 1, seq 40682, length 40


I added also the screenshots of the Packet Tracer

and here is the Configuration:


Can anyone please help me how to get the traffic to the other hosts?

  • yes it would be possible to change the VPN Pool Addresses to
  • or create a NAT that the VPN Pool Addresses are translated to 192.168.10

But is there any other solution for this issue without one of this workarounds? 


show running-config 

: Saved


ASA Version 8.4(2) 


hostname asa

domain-name test.lab

enable password XejxZFfyt2wxqfff encrypted

passwd XejxZFfyt2wxqfff encrypted




interface GigabitEthernet0

 nameif outside

 security-level 0

 ip address  


interface GigabitEthernet1

 nameif inside

 security-level 100

 ip address 


ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS


 domain-name planet-express.internal

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network VPN-Address-Pool

 description VPN-Address-Pool

object network inside-network


 description inside-network

object network VPN-Pool


object network AnyConnect-VPN-Pool

object network LAN


object network asa


access-list inside_access_in extended permit ip any any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPN-Address-Pool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715-100.bin

no asdm history enable

arp timeout 14400

nat (any,inside) source dynamic VPN-Pool interface inactive

access-group inside_access_in in interface inside

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server planet-express protocol nt

aaa-server planet-express (inside) host farnsworth.planet-express.internal


user-identity default-domain LOCAL

aaa authentication ssh console LOCAL 

aaa authentication http console LOCAL 

http server enable 444

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 subject-name CN=test

 keypair key-2048

 crl configure

crypto ca certificate chain ASDM_TrustPoint0

 certificate 2ee76b53


crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 enable inside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 60

ssh inside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 inside


 enable inside

 anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1

 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2

 anyconnect image disk0:/anyconnect-linux-64-3.1.05160-k9.pkg 3

 anyconnect image disk0:/anyconnect-linux-3.1.05160-k9.pkg 4

 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml

 anyconnect enable

 tunnel-group-list enable

group-policy GroupPolicy_AnyConnect internal

group-policy GroupPolicy_AnyConnect attributes

 wins-server none

 dns-server value

 vpn-tunnel-protocol ikev2 ssl-client 

 default-domain value test.lab


  anyconnect profiles value AnyConnect_client_profile type user

group-policy Portal-Group-Policy internal

group-policy Portal-Group-Policy attributes

 wins-server none

 dns-server value

 vpn-tunnel-protocol ssl-clientless

 default-domain value test.lab


  url-list value Administrator

username admin password Cisco encrypted privilege 15

tunnel-group Portal type remote-access

tunnel-group Portal general-attributes

 address-pool VPN-Address-Pool

 default-group-policy Portal-Group-Policy

tunnel-group Portal webvpn-attributes

 group-alias Portal enable

 group-alias portal disable

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

 address-pool VPN-Address-Pool

 default-group-policy GroupPolicy_AnyConnect

tunnel-group AnyConnect webvpn-attributes

 group-alias AnyConnect enable


class-map global-class

 match default-inspection-traffic



policy-map global-policy

 class global-class

  inspect dns 

  inspect ftp 

  inspect http 

  inspect icmp 

  inspect icmp error 


service-policy global-policy global

prompt hostname context 

no call-home reporting anonymous


 profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable


: end




Everyone's tags (1)
New Member

Hi,when you try ping '192.168


when you try ping '' or '' from remote client(, ASA will forward those icmp packets directly to the destination after decryption. So it is impossible to observe them on firewall. so those icmp packets should reach their destination.

ICMP reply will direct to the default GW( as the 2 servers have no route entry to, default GW found the next-hop to '' is, it will discard those icmp packets and send ICMP redirect message( type 5 ) to the 2 servers, which means ASA is closer to the, however the 2 servers ignore this redirect message. so you can not ping the 2 servers.

Solution: enable the 2 servers accept ICMP redirect message.



CreatePlease login to create content