Solved: AnyConnect with ASA 5505--Can connect...but unable to ping

Kyle C Barnes · ‎11-18-2013

NAT config:

access-list NAT-EXEMPT extended permit ip 10.0.0.0 255.255.255.0 VPN_Clients 255.255.255.0

access-list NAT-EXEMPT extended permit ip 10.0.100.0 255.255.255.0 VPN_Clients 255.255.255.0

access-list NAT-EXEMPT extended permit ip 10.0.50.0 255.255.255.0 VPN_Clients 255.255.255.0

nat (inside) 0 access-list NAT-EXEMPT

Here is also a breakdown of my static routing.

Symptoms:

Once I've VPN'ed in, I am unable to ping:

Client->firewall inside interface

ASA->Client address

Client->inside host

Weird thing....

I can ping the first SVI addresses as well as the uplink IP address on the 2811.

Notes:

Ping is enabled

Still doesnt work, even when allowing ip any any for testing

Nat control IS enabled, and I've implemented an exemption (as seen at the top).

Any ideas?

jumora · ‎11-18-2013

If you cannot ping the ASA internal interface you are probably missing management-access inside command

Value our effort and rate the assistance!

View solution in original post

Jouni Forss · ‎11-18-2013

Hi,

I presume that there is an error in the picture since the ASA interface IP address and the router IP address facing the ASA are the same.

Are you saying that you can ping the 10.0.0.1 and 10.0.100.1 ?

If you can then have you checked the actual hosts for software firewall / Windows firewall settings?

Might need to see the rest of the ASA configurations to determine if there is anything in the configurations that might be a problem.

- Jouni

Kyle C Barnes · ‎11-18-2013

Woops! The ASA interface is the .1 and the 2811 is the .2.

I can ping the the 0.1 and the 100.1 just fine!

Windows firewall/settings have been disabled and the error is still there.

jumora · ‎11-18-2013

Most probably you are missing the routes on the router to reach the anyconnect addresses.

Value our effort and rate the assistance!

jumora · ‎11-18-2013

If you could post the show route of the ASA and of the router.

Value our effort and rate the assistance!

jumora · ‎11-18-2013

I just want to confirm the routing on the router, as you indicate that the default route points to the ASA

Value our effort and rate the assistance!

jumora · ‎11-18-2013

If you cannot ping the ASA internal interface you are probably missing management-access inside command

Value our effort and rate the assistance!

Kyle C Barnes · ‎11-18-2013

Jumora--Yep! I got that part solved and I was missing the command you just identified! Now I'm thinking this is not an ASA problem..but an issue with my 2811-which appears to have inter-vlan routing issue.

I've created a separate thread here...https://supportforums.cisco.com/message/4096135#4096135

Can ping the SVI, but if I try to ping a host in a different VLAN sourcing a separate VLAN...no worky

jumora · ‎11-19-2013

Kyle please rate Jouni and my assistance!!!!

Value our effort and rate the assistance!