ASA client VPN partly connection to internal resources
Hi, I just configured Cisco Ayconnect. I can connect via Client VPN. My setup is a little bit differently (check the first picture of the setup). I am using a other Firewall in front of the Cisco ASA. The ASA is only using the inside interface and is only used for Client VPN. See the first picture which illustrates the setup. The Client VPN ip pool ist 10.10.10.10 - 10.10.10.50 The Firewall has the IP 192.168.1.254 and is the Gateway of the network. My test VPN Client has the IP 10.10.10.14 and can ping the 192.168.1.254 and google 126.96.36.199. But I can't ping the other internal Servers like 192.168.1.40 or 192.168.1.10. I am pinging 192.168.1.254, 192.168.1.40 and 192.168.1.10 at the same time. But on the Firewall I can only see 192.168.1.254 traffic:
# tcpdump src net 10.10.10.0/24 and dst net 192.168.1.0/24 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:06:10.315471 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40671, length 40 16:06:11.090489 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40675, length 40 16:06:12.150490 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40678, length 40 16:06:13.651232 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40680, length 40 16:06:14.156077 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40682, length 40
I added also the screenshots of the Packet Tracer
and here is the Configuration:
Can anyone please help me how to get the traffic to the other hosts?
yes it would be possible to change the VPN Pool Addresses to 192.168.1.0
or create a NAT that the VPN Pool Addresses are translated to 192.168.10
But is there any other solution for this issue without one of this workarounds?
ASA Version 8.4(2)
enable password XejxZFfyt2wxqfff encrypted
passwd XejxZFfyt2wxqfff encrypted
ip address 192.168.1.230 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN-Address-Pool
object network inside-network
subnet 192.168.1.0 255.255.255.0
object network VPN-Pool
subnet 10.10.10.0 255.255.255.0
object network AnyConnect-VPN-Pool
object network LAN
subnet 192.168.1.0 255.255.255.0
object network asa
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-Address-Pool 10.10.10.10-10.10.10.254 mask 255.255.255.0
when you try ping '192.168.1.10' or '192.168.1.40' from remote client(10.10.10.14), ASA will forward those icmp packets directly to the destination after decryption. So it is impossible to observe them on firewall. so those icmp packets should reach their destination.
ICMP reply will direct to the default GW(192.168.1.254) as the 2 servers have no route entry to 10.10.10.14, default GW found the next-hop to '10.10.10.14' is 192.168.1.240, it will discard those icmp packets and send ICMP redirect message( type 5 ) to the 2 servers, which means ASA is closer to the 10.10.10.14, however the 2 servers ignore this redirect message. so you can not ping the 2 servers.
Solution: enable the 2 servers accept ICMP redirect message.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :