topic Re: Cisco AnyConnect cannot reach inside network in Network Security

Cisco AnyConnect cannot reach inside network

cruseb1 — Mon, 07 Feb 2022 04:39:23 GMT

I just setup a 5512 ASA, the AnyConnect clients connect but are unable to talk to anything on the inside network.

I have included a sanitized config. Any assistance would be greatly appreciated!!

ASA Version 9.12(4)18
!
hostname TEST-ASA
domain-name TEST.org
enable password XXXXXXXXXXXXXXXXX
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6

names
no mac-address auto
ip local pool VPN-POOL 10.88.33.1-10.88.33.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XXX.XXX.222.205 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.11.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name TEST.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network test-network
subnet 192.168.13.0 255.255.0.0
object network dispatch-network
subnet 192.168.12.0 255.255.255.0
object network admin-network
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_10.88.33.0_24
subnet 10.88.33.0 255.255.255.0
object-group network split-tunnel-networks
network-object 192.168.11.0 255.255.255.0
network-object object admin-network
network-object object cjnet-network
network-object object dispatch-network
access-list split_tunnel standard permit 192.168.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7161.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static split-tunnel-networks split-tunnel-networks destination static NETWORK_OBJ_10.88.33.0_24 NETWORK_OBJ_10.88.33.0_24 no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 XXX.XXX.222.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=TEST-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
http-headers
x-content-type-options
x-xss-protection
content-security-policy
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 1
anyconnect profiles MCT-User_client_profile disk0:/MCT-User_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_MCT-User internal
group-policy GroupPolicy_MCT-User attributes
wins-server none
dns-server value 192.168.11.9 192.168.11.10
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value mcso-fl.org
address-pools value VPN-POOL
webvpn
anyconnect profiles value MCT-User_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username TEST1 password XXXXXXXXXX privilege 15
tunnel-group MCT-User type remote-access
tunnel-group MCT-User general-attributes
address-pool VPN-POOL
default-group-policy GroupPolicy_MCT-User
tunnel-group MCT-User webvpn-attributes
group-alias MCT-User enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3bae6d255e1d00805bb2fd055f2e2bbd
: end

Re: Cisco AnyConnect cannot reach inside network

Kasun Bandara — Mon, 07 Feb 2022 07:21:14 GMT

Hi,

try no nat option for internal nat.

Re: Cisco AnyConnect cannot reach inside network

Jitendra Kumar — Mon, 07 Feb 2022 07:38:31 GMT

Hi,

change NAT statement keep it as showing below and test this should be work for you.

nat (inside,outside) source static inside_network inside_network destination static Anyconnect_network Anyconnect_network

Thanks,

Jitendra

Re: Cisco AnyConnect cannot reach inside network

MHM Cisco World — Mon, 07 Feb 2022 10:35:07 GMT

show vpn-sessiondb any connect
please share the info here after remove the public ip of ASA.
check tunnel-group & group-policy and IP assign.

Re: Cisco AnyConnect cannot reach inside network

cruseb1 — Mon, 07 Feb 2022 21:19:21 GMT

TEST-ASA(config)# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : cruseb1 Index : 8
Assigned IP : 10.88.33.2 Public IP : xx.xx.xx.xx
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA256
Bytes Tx : 16390 Bytes Rx : 3303241
Group Policy : GroupPolicy_MCT-User Tunnel Group : MCT-User
Login Time : 05:45:54 UTC Mon Feb 7 2022
Duration : 15h:29m:54s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a80101000080006200b212
Security Grp : none

Re: Cisco AnyConnect cannot reach inside network

cruseb1 — Mon, 07 Feb 2022 21:36:00 GMT

made the nat change, still the same behavior.

Re: Cisco AnyConnect cannot reach inside network

Sheraz.Salim — Mon, 07 Feb 2022 21:59:17 GMT

in your configuration you missed to define the split-tunnel access-list for your internal network. you have only define one access list under split-tunnel.

your config
!
group-policy GroupPolicy_MCT-User internal
group-policy GroupPolicy_MCT-User attributes
wins-server none
dns-server value 192.168.11.9 192.168.11.10
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value mcso-fl.org
address-pools value VPN-POOL
!
access-list split_tunnel standard permit 192.168.11.0 255.255.255.0
!

where as you need to define the other object-group according to your NAT rule.

access-list split_tunnel standard permit 192.168.10.0 255.255.255.0
access-list split_tunnel standard permit 192.168.11.0 255.255.255.0
access-list split_tunnel standard permit 192.168.12.0 255.255.255.0

I cant find the forth network as you only define it object name but no subnet Ip addresses.

once you add these access-list into your split-tunnel and in order to test from test computer (install with anyconnect) if already anyconnect is connected than discounte it and re-connect. once its connected check the routes on the anyconnect client. it will show you your internal network.

Re: Cisco AnyConnect cannot reach inside network

MHM Cisco World — Mon, 07 Feb 2022 21:59:31 GMT

it OK for me, same tunnel-group and group-policy list in sessiondb.
if you use windows please do
ipconfig

see if the ISP overlap with your split tunnel subnet.
https://confluence.uconn.edu/ikb/remote-access/virtual-private-network-vpn/cisco-anyconnect-vpn/about-split-tunneling-on-cisco-anyconnect-vpn

Re: Cisco AnyConnect cannot reach inside network

cruseb1 — Tue, 08 Feb 2022 01:31:25 GMT

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-7J3DYX2

Primary Dns Suffix . . . . . . . : LEONET.local

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : test.org

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . : test.org

Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64

Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::d70c:xxxx:xxxx:xxxx%34(Preferred)

Link-local IPv6 Address . . . . . : fe80::e041:xxxx:xxxx:xxxx%34(Preferred)

IPv4 Address. . . . . . . . . . . : 10.88.33.2(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : ::

DHCPv6 IAID . . . . . . . . . . . : 570xxxxxx

DHCPv6 Client DUID. . . . . . . . : 00-

DNS Servers . . . . . . . . . . . : 192.168.11.9

192.168.11.10

NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . : test.org

Description . . . . . . . . . . . : Intel(R) Ethernet Connection (4) I219-LM

Physical Address. . . . . . . . . : 54-B2-03-9D-44-FD

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8265

Physical Address. . . . . . . . . : E4-5E-37-AD-9D-91

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 1:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter

Physical Address. . . . . . . . . : E4-5E-37-AD-9D-92

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 2:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2

Physical Address. . . . . . . . . : E6-5E-37-AD-9D-91

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Mobile Broadband adapter Cellular:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Generic Mobile Broadband Adapter

Physical Address. . . . . . . . . : 94-87-91-5C-56-58

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

IPv6 Address. . . . . . . . . . . : 2600:1006:b158:a451:2441:6b8c:4a33:9cde(Preferred)

IPv6 Address. . . . . . . . . . . : 2600:1006:b158:a451:f108:507:844a:df18(Preferred)

Temporary IPv6 Address. . . . . . : 2600:1006:b158:a451:8503:79c9:591a:f9ae(Preferred)

Link-local IPv6 Address . . . . . : fe80::f108:507:844a:df18%33(Preferred)

IPv4 Address. . . . . . . . . . . : 100.87.211.88(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.240

Default Gateway . . . . . . . . . : 2600:1006:b158:a451:35a4:14d2:783b:89fa

fe80::35a4:14d2:783b:89fa%33

100.87.211.89

DNS Servers . . . . . . . . . . . : 2001:4888:24:ff00:223:d::

2001:4888:25:ff00:226:d::

198.224.179.135

198.224.180.135

NetBIOS over Tcpip. . . . . . . . : Enabled

Re: Cisco AnyConnect cannot reach inside network

cruseb1 — Tue, 08 Feb 2022 01:42:14 GMT

I added the networks by name as suggested, same behavior. see attached

Re: Cisco AnyConnect cannot reach inside network

cruseb1 — Tue, 08 Feb 2022 01:54:34 GMT

Here is the config after changes requested:

ASA Version 9.12(4)18
!
hostname TEST-ASA
domain-name TEST.org
enable password XXXXXXXX
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
names
no mac-address auto
ip local pool VPN-POOL 10.88.33.1-10.88.33.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.205 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.11.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name mcso-fl.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network cjnet-network
subnet 192.168.13.0 255.255.0.0
object network dispatch-network
subnet 192.168.12.0 255.255.255.0
object network admin-network
subnet 192.168.10.0 255.255.255.0
object network Anyconnect-network
subnet 10.88.33.0 255.255.255.0
object network inside-network
subnet 192.168.11.0 255.255.255.0
object-group network split-tunnel-networks
network-object object admin-network
network-object object cjnet-network
network-object object dispatch-network
network-object object inside-network
access-list split_tunnel standard permit 192.168.11.0 255.255.255.0
access-list split_tunnel standard permit 192.168.10.0 255.255.255.0
access-list split_tunnel standard permit 192.168.12.0 255.255.255.0
access-list outside_access_in extended permit ip object Anyconnect-network object inside-network
access-list outside_access_in extended permit ip object-group split-tunnel-networks object inside-network
access-list outside_access_in extended permit ip object Anyconnect-network 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
asdm image disk0:/asdm-7161.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
~~nat (inside,outside) source static split-tunnel-networks split-tunnel-networks destination static Anyconnect-network Anyconnect-network no-proxy-arp route-lookup~~ ( I removed this after seeing two nat statements)
nat (inside,outside) source static inside-network inside-network destination static Anyconnect-network Anyconnect-network
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=MCSO-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
http-headers
x-content-type-options
x-xss-protection
content-security-policy
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 1
anyconnect profiles MCT-User_client_profile disk0:/MCT-User_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_MCT-User internal
group-policy GroupPolicy_MCT-User attributes
wins-server none
dns-server value 192.168.11.9 192.168.11.10
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value mcso-fl.org
address-pools value VPN-POOL
webvpn
anyconnect profiles value MCT-User_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username cruseb1 password $sha512$5000$WgZv0fQlt4m3IqWAQVU00Q==$5tXjLdltuxs3mTnKaECQpQ== pbkdf2 privilege 15
tunnel-group MCT-User type remote-access
tunnel-group MCT-User general-attributes
address-pool VPN-POOL
default-group-policy GroupPolicy_MCT-User
tunnel-group MCT-User webvpn-attributes
group-alias MCT-User enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c5acc497dd2944357a1bb9caf8955eb
: end

Re: Cisco AnyConnect cannot reach inside network

cruseb1 — Tue, 08 Feb 2022 03:27:31 GMT

No overlapping networks, I have a public ip address on my cellular interface.

Re: Cisco AnyConnect cannot reach inside network

MHM Cisco World — Thu, 10 Feb 2022 00:28:43 GMT

In client windows,

route print,

Also try under change adapter optiond in win10,

Diable the use defualt gateway on remote network.

Re: Cisco AnyConnect cannot reach inside network

Sheraz.Salim — Tue, 08 Feb 2022 18:13:44 GMT

192.168.11.9 could be the winodws software firewall is enable and thats why ping is timing out. your anyconnect does have the routing table correct.

does not seem to be an issue with anyconnect config.

Re: Cisco AnyConnect cannot reach inside network

cruseb1 — Thu, 10 Feb 2022 00:00:36 GMT

When plugged into the network, clients have access to all resources including 192.168.11.9. The ASA can ping 192.168.11.9 from the inside interface. I cannot RDP or ping 192.168.11.9 from device connected to cisco asa via anyconnect.

Re: Cisco AnyConnect cannot reach inside network

MHM Cisco World — Thu, 10 Feb 2022 00:25:32 GMT

Route print,

If you can share it.

Re: Cisco AnyConnect cannot reach inside network

Sheraz.Salim — Thu, 10 Feb 2022 00:43:39 GMT

does 192.168.11.9 is added in your NAT exemption rule?

the way you describe it seems that 192.168.11.9 is showing in anyconnect routing table but ASA does have a NAT rule exeption for this IP address.

could you double check if its applied on NAT expemtion. and also could you give me output of the command "show nat detail"

all i can think is it has missing in NAT table on ASA.

Re: Cisco AnyConnect cannot reach inside network

cruseb1 — Sat, 12 Feb 2022 06:17:38 GMT

I inadvertently figured something out, So any servers that use this ASA as the default gateway can be accessed from the AnyConnect VPN.

I believe it has something to do with ARP. How can I get the ASA to allow access to all devices in the subnet? not just the devices that connect to the internet through it??

Re: Cisco AnyConnect cannot reach inside network

Aref Alsouqi — Sat, 12 Feb 2022 07:35:47 GMT

It could be that the downstream router or core switch that is being used as the default gateway by the devices that are not pointing to the firewall doesn't have a route to get back to AnyConnect pool via the firewall.

Re: Cisco AnyConnect cannot reach inside network

Sheraz.Salim — Sat, 12 Feb 2022 08:54:20 GMT

@cruseb1 it does make sense what @Aref Alsouqi mentioned. is there any layer3 device present in between the ASA behind ASA inside interface?

do you have a topology diagram of your network?