cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


317
Views
24
Helpful
8
Replies
Beginner

AnyConnect with ASA 5505--Can connect...but unable to ping

NAT config:

access-list NAT-EXEMPT extended permit ip 10.0.0.0 255.255.255.0 VPN_Clients 255.255.255.0

access-list NAT-EXEMPT extended permit ip 10.0.100.0 255.255.255.0 VPN_Clients 255.255.255.0

access-list NAT-EXEMPT extended permit ip 10.0.50.0 255.255.255.0 VPN_Clients 255.255.255.0

nat (inside) 0 access-list NAT-EXEMPT

visio.jpg

Here is also a breakdown of my static routing. 

Symptoms:

Once I've VPN'ed in, I am unable to ping:

Client->firewall inside interface

ASA->Client address

Client->inside host

Weird thing....

I can ping the first SVI addresses as well as the uplink IP address on the 2811.

Notes:

Ping is enabled

Still doesnt work, even when allowing ip any any for testing

Nat control IS enabled, and I've implemented an exemption (as seen at the top).

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

AnyConnect with ASA 5505--Can connect...but unable to ping

If you cannot ping the ASA internal interface you are probably missing management-access inside command

Value our effort and rate the assistance!

View solution in original post

8 REPLIES 8
Mentor

AnyConnect with ASA 5505--Can connect...but unable to ping

Hi,

I presume that there is an error in the picture since the ASA interface IP address and the router IP address facing the ASA are the same.

Are you saying that you can ping the 10.0.0.1 and 10.0.100.1 ?

If you can then have you checked the actual hosts for software firewall / Windows firewall settings?

Might need to see the rest of the ASA configurations to determine if there is anything in the configurations that might be a problem.

- Jouni

Beginner

AnyConnect with ASA 5505--Can connect...but unable to ping

Woops!  The ASA interface is the .1 and the 2811 is the .2.

I can ping the the 0.1 and the 100.1 just fine!

Windows firewall/settings have been disabled and the error is still there.

Highlighted
Rising star

AnyConnect with ASA 5505--Can connect...but unable to ping

Most probably you are missing the routes on the router to reach the anyconnect addresses.

Value our effort and rate the assistance!
Rising star

AnyConnect with ASA 5505--Can connect...but unable to ping

If you could post the show route of the ASA and of the router.

Value our effort and rate the assistance!
Rising star

AnyConnect with ASA 5505--Can connect...but unable to ping

I just want to confirm the routing on the router, as you indicate that the default route points to the ASA

Value our effort and rate the assistance!
Rising star

AnyConnect with ASA 5505--Can connect...but unable to ping

If you cannot ping the ASA internal interface you are probably missing management-access inside command

Value our effort and rate the assistance!

View solution in original post

Beginner

AnyConnect with ASA 5505--Can connect...but unable to ping

Jumora--Yep!  I got that part solved and I was missing the command you just identified!  Now I'm thinking this is not an ASA problem..but an issue with my 2811-which appears to have inter-vlan routing issue. 

I've created a separate thread here...https://supportforums.cisco.com/message/4096135#4096135

Can ping the SVI, but if I try to ping a host in a different VLAN sourcing a separate VLAN...no worky

Rising star

AnyConnect with ASA 5505--Can connect...but unable to ping

Kyle please rate Jouni and my assistance!!!!

Value our effort and rate the assistance!
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here