topic Re: Cisco Anywhere Connect VPN: get LAN IP but can't access Internet or ping gateway in Network Security

Cisco Anywhere Connect VPN: get LAN IP but can't access Internet or ping gateway

huyan — Wed, 08 May 2019 18:39:55 GMT

Hi,

I have setup a ASA 5506-X in my office like this (pls see the commands below). In Setup Wizard, I use Anywhere Connect VPN to connect to office from home. Connection status shows success and I got an IP with correct Default gateway: 192.168.1.1. However, I can't access Internet or ping any other computers in LAN network (at office). I can't even ping the gateway 192.168.1.1. Computers at office can access Internet normally.

Please show me where I make mistake.

Thank you!

interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

ip local pool Inside_network 192.168.1.151-192.168.1.200 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address <public IP> 255.255.255.240
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any1
subnet 0.0.0.0 0.0.0.0

object network obj_192.168.1.0
subnet 192.168.1.0 255.255.255.0

!
object network obj_any1
nat (inside_1,outside) dynamic interface dns
object network obj_192.168.1.0
nat (inside_2,outside) dynamic interface dns
route outside 0.0.0.0 0.0.0.0 <public IP>

dhcpd dns 8.8.8.8 4.2.2.2
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.150 inside
dhcpd enable inside
!

Re: Cisco Anywhere Connect VPN: get LAN IP but can't access Internet or ping gateway

Francesco Molino — Fri, 10 May 2019 03:32:48 GMT

Hi

For not being able to access your inside network, you're missing the nat exempt:

nat (inside_1,outside) source static obj_192.168.1.0 obj_192.168.1.0 destination static obj_192.168.1.0 obj_192.168.1.0 no-proxy-arp route-lookup
nat (inside_2,outside) source static obj_192.168.1.0 obj_192.168.1.0 destination static obj_192.168.1.0 obj_192.168.1.0 no-proxy-arp route-lookup

I don't see your full config but you need to validate that sysopt connection permit-vpn to allow vpn traffic to access inside hosts and bypassing asa acls otherwise you'll need to adapt your outside acl to access inside.

For Internet access, if you want your Internet traffic to be tunneled into your vpn, you'll need to apply the following nat:
nat (outside,outside) after-auto source dynamic obj_192.168.1.0 interface

If you want your Internet to be local, then you'll need to configure split vpn.

Re: Cisco Anywhere Connect VPN: get LAN IP but can't access Internet or ping gateway

huyan — Fri, 10 May 2019 05:23:48 GMT

Hi Francesco,
Your reply saved me hours of scratching my head. It works like a charm. However, I will have to learn to commands carefully. If I have problem understanding the commands, perhaps I will get back to this thread to bug you again.
Thank you very much!
Huy.

Re: Cisco Anywhere Connect VPN: get LAN IP but can't access Internet or ping gateway

Francesco Molino — Fri, 10 May 2019 12:38:37 GMT

Yes no pb, you're welcome to come back and ask your questions.