Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2556
Views
0
Helpful
10
Replies

AnyConnect VPN - Cannot ping internal network

Go to solution
machine23
Level 1
Level 1

‎04-04-2019 01:20 AM - edited ‎04-04-2019 02:12 AM

 

Hi All, 

          I have searched and attempted to troubleshoot the issue but still no luck , Hoping some more experienced folks can help out

All of this is on a Home Test network.

 

I configured the VPN AnyConnect to access my home network , Used Split tunnelling - got connected with the assigned pool all ok but I cannot access my internal network at home , I added the management-access inside command which enabled me to ping the inside network interface gateway but nothing else ...

 

is there anything else I am missing ? maybe I need to configure an ACL as I'm using split tunnelling? but I am unsure the right ACL to be configured?

 

running config:

 

 

ASA Version 8.6(1)2 

!

hostname ciscoasa

enable password sNVGYXTNm97n48wB encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

<--- More --->

              

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif Manage

 security-level 100

 ip address 192.168.0.1 255.255.255.0 

 management-only

!

<--- More --->

              

ftp mode passive

same-security-traffic permit inter-interface

object network Permit_Lan_IP

 subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.250.0_26

 subnet 192.168.250.0 255.255.255.192

object network inside

 subnet 192.168.1.0 255.255.255.0

object network pool

 subnet 192.168.250.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_2

 protocol-object ip

 protocol-object icmp

access-list 10 standard permit 192.168.1.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu Manage 1500

ip local pool pool 192.168.250.1-192.168.250.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

<--- More --->

              

arp timeout 14400

!

object network Permit_Lan_IP

 nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.0.0 255.255.255.0 Manage

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

<--- More --->

              

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment terminal

 subject-name CN=ciscoasa.null,O=Rush,C=UK

 crl configure

crypto ca trustpoint ASDM_TrustPoint1

 enrollment self

 subject-name CN=ciscoasa

 crl configure

crypto ca certificate chain ASDM_TrustPoint1

 certificate ee55a25c

    308202d4 308201bc a0030201 020204ee 55a25c30 0d06092a 864886f7 0d010105 

    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 

<--- More --->

              

    86f70d01 09021608 63697363 6f617361 301e170d 31393034 30313138 32343239 

    5a170d32 39303332 39313832 3432395a 302c3111 300f0603 55040313 08636973 

    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 

    0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b4 

    9289c4f5 0cdc8bf1 9bce3aaa 11498b72 b603f9b9 e58a1b38 e795a300 66fd99eb 

    e183a2ac 81e998d8 fd7c0333 2cd4108b 0a5ab89d e5f4a87f 827a9185 bdf689b9 

    25d877d7 35f01aae 684c58d8 cf5d8cab 9bf98a8c 9788d522 18a5b3cc 857bf695 

    103eaff8 7f022b19 4377d1e8 855734ca 994e6500 73dbd67a a6a70688 8897d18d 

    0481b05b ff67f992 37e8cdb4 86da7e16 893e640e bfafb6ef 93918986 baa2e60c 

    bb5120c6 e403e47b 0c78927f c25d1826 63c1c82c e7104d9e 13ae1b11 05c9b360 

    d20bb25b ea4a8652 b14b7590 13394b47 778c43e7 40ac5c2a 67e3a5a4 f3fd2a2b 

    d4614101 2c3c24a6 ae5c0084 b7b564c4 56d1ef53 eb59a718 57f6743f 3e298702 

    03010001 300d0609 2a864886 f70d0101 05050003 82010100 982d21e7 18e535ce 

    8b8295e5 4e99269a a8451268 dec0dbfc 7f1b5198 4af8c293 85633883 2dd03a5e 

    9b9fe2aa 9c455788 de135890 6f1b9f9c 103aa30a b998c1eb 046c3ff5 85be6a6e 

    5288a75a d08062d9 f4e2df2e 352d773f db4a7e57 6ca18e5f 88ccc522 1a435528 

    6bafc001 ffc78294 f6e49bc1 218d697c 87e8006c 25bb1ccc 76b2df87 da3f7aac 

    9d378d75 769e0760 43532a92 d7f7f0af b64f2c94 27a3c4d8 74d8181d 089c7c66 

    cb8b9435 0040b8f5 e6a899f4 e1b4176e 769add02 5a7a74d3 b6ed422b c2d03ce3 

    0b0aaa54 b90bd778 8b75c69c 50c58897 cb8bceac 04c50b16 cd5ec6e2 d7ddd99b 

    b9328ab8 bcc5b1c6 720496b1 9da321d3 8fb5b6ad 9f29ac0e

  quit

crypto ikev2 policy 1

 encryption aes-256

<--- More --->

              

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

<--- More --->

              

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 4.2.2.2

!

dhcpd address 192.168.1.10-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1 outside

webvpn

 enable outside

 anyconnect-essentials

 anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1

 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

<--- More --->

              

 anyconnect image disk0:/anyconnect-macos-4.4.01054-webdeploy-k9.pkg 3

 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 4

 anyconnect profiles Home_client_profile disk0:/Home_client_profile.xml

 anyconnect profiles Rush_client_profile disk0:/Rush_client_profile.xml

 anyconnect enable

 tunnel-group-list enable

group-policy GroupPolicy_Home internal

group-policy GroupPolicy_Home attributes

 wins-server none

 vpn-tunnel-protocol ikev2 ssl-client 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 10

 default-domain none

 webvpn

  anyconnect profiles value Home_client_profile type user

username Rush password wtb6igjZWtCLWRft encrypted

username Rush password VRA13ZzEzDp8PnFO encrypted

tunnel-group Home type remote-access

tunnel-group Home general-attributes

 address-pool pool

 default-group-policy GroupPolicy_Home

tunnel-group Home webvpn-attributes

 group-alias Home enable

!

<--- More --->

              

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect ip-options 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

<--- More --->

              

  inspect xdmcp 

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method httpA

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 26

  subscribe-to-alert-group configuration periodic monthly 26

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:2594791be0e41bc1bd142612ed137d88

: end       

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GRANT3779
Spotlight
Spotlight
In response to machine23

‎04-04-2019 11:23 AM

Are you sure the server is not receiving the icmp and just not replying / dropping it? I would run Wireshark on the server and test your pings to it. See if they reach the server.
You can also run the embedded packet-tracer command on firewall to mimic traffic from anyconnect client to the server. I would check server first as if you can ping the GW I'd expect you be able to hit anything behind it.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
GRANT3779
Spotlight
Spotlight

‎04-04-2019 04:05 AM

You may need a "No NAT" for the Anyconnect Pool and your internal addressing. I see there is currently a PAT setup.

 

Try adding the following -

 

nat (inside,outside) source static Permit_Lan_IP Permit_Lan_IP destination static pool pool

0 Helpful

Go to solution
machine23
Level 1
Level 1
In response to GRANT3779

‎04-04-2019 05:41 AM - edited ‎04-04-2019 05:55 AM

Hi Sorry I had made some changes on the config .. just the vpn pool ip changed to avoid some confusion .. 

but when I issued your command it said doesn't match an existing object or object-group ... here is the new config:

 


ASA Version 8.6(1)2
!
hostname ciscoasa
enable password sNVGYXTNm97n48wB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More ---> interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Manage
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
!
<--- More ---> ftp mode passive
same-security-traffic permit inter-interface
object network Permit_Lan_IP
subnet 192.168.1.0 255.255.255.0
object network inside
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.16.1.0_27
subnet 10.16.1.0 255.255.255.224
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list Internal standard permit 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Manage 1500
ip local pool pool 10.16.1.1-10.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
<--- More ---> nat (inside,outside) source static any any destination static NETWORK_OBJ_10.16.1.0_27 NETWORK_OBJ_10.16.1.0_27 no-proxy-arp route-lookup
!
object network Permit_Lan_IP
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Manage
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
<--- More ---> crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
<--- More ---> enrollment terminal
subject-name CN=ciscoasa.null,O=Rush,C=UK
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate ee55a25c
308202d4 308201bc a0030201 020204ee 55a25c30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31393034 30313138 32343239
5a170d32 39303332 39313832 3432395a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b4
9289c4f5 0cdc8bf1 9bce3aaa 11498b72 b603f9b9 e58a1b38 e795a300 66fd99eb
e183a2ac 81e998d8 fd7c0333 2cd4108b 0a5ab89d e5f4a87f 827a9185 bdf689b9
25d877d7 35f01aae 684c58d8 cf5d8cab 9bf98a8c 9788d522 18a5b3cc 857bf695
103eaff8 7f022b19 4377d1e8 855734ca 994e6500 73dbd67a a6a70688 8897d18d
0481b05b ff67f992 37e8cdb4 86da7e16 893e640e bfafb6ef 93918986 baa2e60c
bb5120c6 e403e47b 0c78927f c25d1826 63c1c82c e7104d9e 13ae1b11 05c9b360
d20bb25b ea4a8652 b14b7590 13394b47 778c43e7 40ac5c2a 67e3a5a4 f3fd2a2b
d4614101 2c3c24a6 ae5c0084 b7b564c4 56d1ef53 eb59a718 57f6743f 3e298702
03010001 300d0609 2a864886 f70d0101 05050003 82010100 982d21e7 18e535ce
<--- More ---> 8b8295e5 4e99269a a8451268 dec0dbfc 7f1b5198 4af8c293 85633883 2dd03a5e
9b9fe2aa 9c455788 de135890 6f1b9f9c 103aa30a b998c1eb 046c3ff5 85be6a6e
5288a75a d08062d9 f4e2df2e 352d773f db4a7e57 6ca18e5f 88ccc522 1a435528
6bafc001 ffc78294 f6e49bc1 218d697c 87e8006c 25bb1ccc 76b2df87 da3f7aac
9d378d75 769e0760 43532a92 d7f7f0af b64f2c94 27a3c4d8 74d8181d 089c7c66
cb8b9435 0040b8f5 e6a899f4 e1b4176e 769add02 5a7a74d3 b6ed422b c2d03ce3
0b0aaa54 b90bd778 8b75c69c 50c58897 cb8bceac 04c50b16 cd5ec6e2 d7ddd99b
b9328ab8 bcc5b1c6 720496b1 9da321d3 8fb5b6ad 9f29ac0e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
<--- More ---> group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
<--- More ---> crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
<--- More ---> crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
<--- More ---> crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
<--- More ---> crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
<--- More ---> ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.4.01054-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 4
anyconnect profiles Home_client_profile disk0:/Home_client_profile.xml
anyconnect profiles Rush_client_profile disk0:/Rush_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
split-tunnel-network-list value NONAT
group-policy GroupPolicy_Home internal
group-policy GroupPolicy_Home attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal
default-domain none
webvpn
anyconnect profiles value Home_client_profile type user
<--- More ---> username Rush password wtb6igjZWtCLWRft encrypted
username Rushmach password VRA13ZzEzDp8PnFO encrypted
tunnel-group Home type remote-access
tunnel-group Home general-attributes
address-pool pool
default-group-policy GroupPolicy_Home
tunnel-group Home webvpn-attributes
group-alias Home enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
<--- More ---> inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 26
subscribe-to-alert-group configuration periodic monthly 26
<--- More ---> subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6b09bd746e4908adff634726c98d8b94
: end
ciscoasa(config)#

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to machine23

‎04-04-2019 06:25 AM

When you connect can you run the following command on the ASA -
show vpn-sessiondb anyconnect

Did you say you can ping the Inside GW from the anyconnect client?
0 Helpful

Go to solution
machine23
Level 1
Level 1
In response to GRANT3779

‎04-04-2019 06:59 AM

Username : Rush Index : 35
Assigned IP : 10.16.1.1 Public IP : 196.33.234.23
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AES128 Hashing : none SHA1
Bytes Tx : 10780 Bytes Rx : 5679
Group Policy : GroupPolicy_Home Tunnel Group : Home
Login Time : 14:09:38 UTC Thu Apr 4 2019
Duration : 0h:01m:26s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

 

That's the result and yes I can ping the inside GW from the client 

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to machine23

‎04-04-2019 07:46 AM

Is the ASA the GW for the Inside traffic or is there another layer 3 device in between? Do your inside hosts know how to get back to the VPN Subnet?

 

How are you testing connectivity between the Anyconnect client and your inside network? Just ICMP?

0 Helpful

Go to solution
machine23
Level 1
Level 1
In response to GRANT3779

‎04-04-2019 07:53 AM

Hi Yes one port is configured to be the GW inside interface on the ASA and no other layer3 devices just an unmanaged SW to go to my inside network server/PC ( which iam trying to get to -192.168.1.11)

 

Yes I am just trying to ping the GW from the AnyConnect client and that is successful.

 

Do your inside hosts know how to get back to the VPN Subnet?  -- I don't think so .. should I create a NAT rule for that?

 

thanks a lot for you input so far :)

 

 

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to machine23

‎04-04-2019 08:12 AM

Try adding the following on the FW under the global policy, currently you are not inspecting ICMP;

policy-map global_policy
class inspection_default
inspect icmp
0 Helpful

Go to solution
machine23
Level 1
Level 1
In response to GRANT3779

‎04-04-2019 11:07 AM

That did not help I’m afraid :(
0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to machine23

‎04-04-2019 11:23 AM

Are you sure the server is not receiving the icmp and just not replying / dropping it? I would run Wireshark on the server and test your pings to it. See if they reach the server.
You can also run the embedded packet-tracer command on firewall to mimic traffic from anyconnect client to the server. I would check server first as if you can ping the GW I'd expect you be able to hit anything behind it.
0 Helpful

Go to solution
machine23
Level 1
Level 1
In response to GRANT3779

‎04-05-2019 12:19 AM

Hi Grant , late last night I added Access rule outside access in , ip,icmp service and re configured the VPN from scratch and its all working now … Really appreciate your time and it definitely helped me troubleshoot thanks a lot :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card