Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1710
Views
0
Helpful
3
Replies

Cisco Anywhere Connect VPN: get LAN IP but can't access Internet or ping gateway

Go to solution
huyan
Level 1
Level 1

ā€Ž05-08-2019 11:39 AM

Hi,

I have setup a ASA 5506-X in my office like this (pls see the commands below). In Setup Wizard, I use Anywhere Connect VPN  to connect to office from home. Connection status shows success and I got an IP with correct Default gateway: 192.168.1.1. However, I can't access Internet or ping any other computers in LAN network (at office). I can't even ping the gateway 192.168.1.1. Computers at office can access Internet normally.

 

Please show me where I make mistake.

 

Thank you!

!

interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

!

ip local pool Inside_network 192.168.1.151-192.168.1.200 mask 255.255.255.0

 

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address <public IP> 255.255.255.240
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

!

object network obj_any1
subnet 0.0.0.0 0.0.0.0

!

object network obj_192.168.1.0
subnet 192.168.1.0 255.255.255.0

!
object network obj_any1
nat (inside_1,outside) dynamic interface dns
object network obj_192.168.1.0
nat (inside_2,outside) dynamic interface dns
route outside 0.0.0.0 0.0.0.0 <public IP>

!


dhcpd dns 8.8.8.8 4.2.2.2
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.150 inside
dhcpd enable inside
!

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž05-09-2019 08:32 PM

Hi

For not being able to access your inside network, you're missing the nat exempt:

nat (inside_1,outside) source static obj_192.168.1.0 obj_192.168.1.0 destination static obj_192.168.1.0 obj_192.168.1.0 no-proxy-arp route-lookup
nat (inside_2,outside) source static obj_192.168.1.0 obj_192.168.1.0 destination static obj_192.168.1.0 obj_192.168.1.0 no-proxy-arp route-lookup

I don't see your full config but you need to validate that sysopt connection permit-vpn to allow vpn traffic to access inside hosts and bypassing asa acls otherwise you'll need to adapt your outside acl to access inside.

For Internet access, if you want your Internet traffic to be tunneled into your vpn, you'll need to apply the following nat:
nat (outside,outside) after-auto source dynamic obj_192.168.1.0 interface

If you want your Internet to be local, then you'll need to configure split vpn.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž05-09-2019 08:32 PM

Hi

For not being able to access your inside network, you're missing the nat exempt:

nat (inside_1,outside) source static obj_192.168.1.0 obj_192.168.1.0 destination static obj_192.168.1.0 obj_192.168.1.0 no-proxy-arp route-lookup
nat (inside_2,outside) source static obj_192.168.1.0 obj_192.168.1.0 destination static obj_192.168.1.0 obj_192.168.1.0 no-proxy-arp route-lookup

I don't see your full config but you need to validate that sysopt connection permit-vpn to allow vpn traffic to access inside hosts and bypassing asa acls otherwise you'll need to adapt your outside acl to access inside.

For Internet access, if you want your Internet traffic to be tunneled into your vpn, you'll need to apply the following nat:
nat (outside,outside) after-auto source dynamic obj_192.168.1.0 interface

If you want your Internet to be local, then you'll need to configure split vpn.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
huyan
Level 1
Level 1
In response to Francesco Molino

ā€Ž05-09-2019 10:23 PM

Hi Francesco,
Your reply saved me hours of scratching my head. It works like a charm. However, I will have to learn to commands carefully. If I have problem understanding the commands, perhaps I will get back to this thread to bug you again.
Thank you very much!
Huy.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to huyan

ā€Ž05-10-2019 05:38 AM

Yes no pb, you're welcome to come back and ask your questions.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card