cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
608
Views
0
Helpful
1
Replies

Setting up Anyconnect VPN per DOC 99756

RonaldNutter
Level 1
Level 1

I am trying to setup AnyConnect on a ASA 8.2.5 from scratch.  I can get connected and dont see any errors.  Not able to ping the inside interface or the device I have attached to the inside interface.  From the ASA, I can ping the device attached to the Inside interface of the ASA. Ths would appear to indicate a problem with the ASA configuration for Anyconnect  It has to be something simple but so far it eludes me.  I have turned up logging and can see verification that the anyconnect session successfully connections.  No errors are showing.

Here is the partial config that I am using -

access-list no_nat extended permit ip 10.34.110.0 255.255.255.0 10.34.250.0 255.255.255.0

access-list no_nat extended permit ip 10.34.250.0 255.255.255.0 10.34.110.0 255.255.255.0

access-list Outside1_to_Inside extended permit ip 10.34.250.0 255.255.255.0 interface Inside

access-group Outside1_to_Inside in interface Inside

ip local pool SSLClientPool 10.34.250.1-10.34.250.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

nat (Inside) 0 access-list no_nat

access-group Outside1_to_Inside in interface Inside

route Outside1 0.0.0.0 0.0.0.0 68.70.82.57 254

crypto ca trustpoint localtrust

enrollment self

fqdn sslvpn.mydomain.com

subject-name CN=sslvpn.mydomain.com

keypair sslvpnkeypair

crl configure

ssl trust-point localtrust Outside1

webvpn       

enable Outside1

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable  

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol svc

default-domain value ssl.mydomain.com

address-pools value SSLClientPool

Any suggestions would be appreciated.

Ron

1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Ron,

to be able to access the inside interface of the ASA itself, you need to configure:

   management-access inside

This will allow you to ping/ASDM/telnet/ssh to the inside interface address, over a vpn tunnel.

Not sure what the problem is when reaching hosts on the inside though, how are you testing this? Ping (icmp) or application traffic (UDP,TCP) ?

The ACL on the inside interface doesn't seem to make sense, what did you intend to achieve with it? Can you try removing it temporarily to see if this influences the VPN issue?

hth

Herbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: