07-05-2013 07:51 AM
Hi, trying to set up ssl vpn via Anyconnect client on a new ASA 5510, ASA 8.4.2, ASDM 6.4.5.
I am able to successfully 'connect' via the anyconnect client, & I am assigned an ip from the vpn pool I created, however I can't ping or connect to any of the internal servers.
I think I've set up split tunnelling ok following the guide below, as I can browse the web nice & fast while logged in to vpn but just can't find anything on the internal network.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
I suspect its down to a nat rule but I'm a bit stuck whether it should be a network object nat rule or if it shoud be dynamic/static & whether its between the outside interface or external ip & the inside network or the vpn network (I created the pool on a separate subnet), or a 'range' (but then I get overlapping ip errors when I try to create a rule for a range of IPs.
Any advice much appreciated,
Solved! Go to Solution.
07-06-2013 12:30 PM
Hi Eunson,
After you have connected to the ASA the clients get an IP address of let's say 192.168.10.0/24 pool, the network behind the ASA is 192.168.20.0/24.
On the ASA you would need a NAT exemption for 192.168.20.0 to 192.168.10.0
Create two object groups, for VPN pool and for your itnernal LAN.
object-group network object-192.168.20.0
network-object 192.168.20.0 255.255.255.0
object-group network object-192.168.10.0
network-object 192.168.10.0 255.255.255.0
nat (inside,outside) 1 source static object-192.168.20.0 object-192.168.20.0 destination static object-192.168.10.0 object-192.168.10.0 no-proxy-arp route-lookup
Inside = The interface behind which your LOCAL lan is
Outside = The interface on which the Clients connect.
If you cannot still access then you can take captures on the Inside interface,
create and acl
access-list test123 permit ip host x.x.x.x host y.y.y.y
access-list test123 permit ip host y.y.y.y host x.x.x.x
capture test123 interface inside access-list test123
show cap test123
It will show if packets are going out through the inside interface and if we see any replies or not. If we don't see any replies it means that there might be a routing issue on the internal LAN as the devices might not know to route traffic for 192.168.10.0 back to the ASA inside interface.
Or it might be that there would be a firewall dropping packets in your internal lan.
HTH
07-06-2013 12:30 PM
Hi Eunson,
After you have connected to the ASA the clients get an IP address of let's say 192.168.10.0/24 pool, the network behind the ASA is 192.168.20.0/24.
On the ASA you would need a NAT exemption for 192.168.20.0 to 192.168.10.0
Create two object groups, for VPN pool and for your itnernal LAN.
object-group network object-192.168.20.0
network-object 192.168.20.0 255.255.255.0
object-group network object-192.168.10.0
network-object 192.168.10.0 255.255.255.0
nat (inside,outside) 1 source static object-192.168.20.0 object-192.168.20.0 destination static object-192.168.10.0 object-192.168.10.0 no-proxy-arp route-lookup
Inside = The interface behind which your LOCAL lan is
Outside = The interface on which the Clients connect.
If you cannot still access then you can take captures on the Inside interface,
create and acl
access-list test123 permit ip host x.x.x.x host y.y.y.y
access-list test123 permit ip host y.y.y.y host x.x.x.x
capture test123 interface inside access-list test123
show cap test123
It will show if packets are going out through the inside interface and if we see any replies or not. If we don't see any replies it means that there might be a routing issue on the internal LAN as the devices might not know to route traffic for 192.168.10.0 back to the ASA inside interface.
Or it might be that there would be a firewall dropping packets in your internal lan.
HTH
07-09-2013 08:24 AM
Thanks Kshitij, that worked perfectly! That was bugging me for weeks, I'm grateful you took the time to explain so clearly & precisely.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide