https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314169#M344578 <HTML><HEAD></HEAD><BODY><P>Thanks Karsten~ after the NAT has been moved to the above, VPN user can ping and access the inside network's computer now, </P><P></P><P>But the ASA firewall still cannot be accessed by VPN user.</P><P></P><P>For the ICMP-inspection, seems there is no big difference between turning it ON or OFF</P></BODY></HTML> Fri, 16 Aug 2013 08:19:35 GMT samhopealpha 2013-08-16T08:19:35Z https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314165#M344570 <P>Here is the envirnoment</P><P></P><P><SPAN style="font-size: 10pt;">Firewall : ASA5510 9.1(2)</SPAN></P><P>ASDM : 7.1</P><P>Firewall IP : 192.168.88.1</P><P>Office Inside network : 192.168.88.x</P><P>AnyConnect VPN : 172.16.89.x</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>Result #1: </P><P>Office user can </P><P>- access the Internet </P><P>- access to VPN User's computer</P><P>- access to ASA firewall</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>Result #2:</P><P>VPN user can</P><P>- access the inside network</P><P>- access the Internet</P><P><SPAN style="color: #ff0000;">- cannot ping/access inside network's computer</SPAN></P><P><SPAN style="color: #ff0000;">- cannot ping/access the ASA firewall</SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>Anybody could help where should I need to check?</P><P>Attached with the ASA configuration</P><P>Thanks in advance</P><P>Sam</P> Tue, 12 Mar 2019 02:26:30 GMT https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314165#M344570 samhopealpha 2019-03-12T02:26:30Z https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314166#M344572 <HTML><HEAD></HEAD><BODY><P>there is no nat-exemption for your vpn:</P><P></P><P><SPAN style="font-family: 'courier new', courier;">nat (inside,outside) source static INSIDE-88 INSIDE-88 destination static VPN-89 VPN-89 no-proxy-arp route-lookup description NAT-Exempt for VPN</SPAN></P><P></P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni" rel="nofollow">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Fri, 16 Aug 2013 07:43:18 GMT https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314166#M344572 Karsten Iwen 2013-08-16T07:43:18Z https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314167#M344573 <HTML><HEAD></HEAD><BODY><P>NAT added, but still the same result</P></BODY></HTML> Fri, 16 Aug 2013 07:53:11 GMT https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314167#M344573 samhopealpha 2013-08-16T07:53:11Z https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314168#M344575 <HTML><HEAD></HEAD><BODY><P>How do you test it?</P><P></P><P>For Ping you should add the ICMP-Inspection:</P><P></P><P><SPAN style="font-family: 'courier new', courier;">policy-map global_policy</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> class inspection_default</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; inspect icmp </SPAN></P><P></P><P>And what is the difference between</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Result #2:</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">VPN user can</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">- access the inside network</P><P><SPAN style="color: #ff0000;">- cannot ping/access inside network's computer</SPAN></P><P></P><P>And I forgot to mention that the nat-exemption has to be inserted *above* the other nat-statements:</P><P></P><P><SPAN style="font-family: 'courier new', courier;">nat <STRONG>1</STRONG> (inside,outside) source ...</SPAN></P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni" rel="nofollow">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Fri, 16 Aug 2013 07:58:48 GMT https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314168#M344575 Karsten Iwen 2013-08-16T07:58:48Z https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314169#M344578 <HTML><HEAD></HEAD><BODY><P>Thanks Karsten~ after the NAT has been moved to the above, VPN user can ping and access the inside network's computer now, </P><P></P><P>But the ASA firewall still cannot be accessed by VPN user.</P><P></P><P>For the ICMP-inspection, seems there is no big difference between turning it ON or OFF</P></BODY></HTML> Fri, 16 Aug 2013 08:19:35 GMT https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314169#M344578 samhopealpha 2013-08-16T08:19:35Z https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314170#M344579 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For management through the VPN you should probably use the <STRONG>"inside"</STRONG> interface IP address by inserting the following command</P><P></P><P><STRONG>management-access inside</STRONG></P><P></P><P>Then you should be able to connect to the <STRONG>"inside"</STRONG> IP address from VPN provided that the other configurations allow it.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 16 Aug 2013 08:22:52 GMT https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314170#M344579 Jouni Forss 2013-08-16T08:22:52Z https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314171#M344580 <HTML><HEAD></HEAD><BODY><P>Thanks everybody!! all problems resolved !</P></BODY></HTML> Fri, 16 Aug 2013 08:27:39 GMT https://community.cisco.com/t5/network-security/anyconnect-users-cannot-reach-inside-network-and-asa/m-p/2314171#M344580 samhopealpha 2013-08-16T08:27:39Z