Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
0
Replies

AnyConnect client cannot ping internal servers

derekderek
Level 1
Level 1

‎04-02-2019 08:02 PM - edited ‎04-10-2019 08:32 PM

AnyConnet VPN client can access the internet via the remote gateway, but cannot internal servers.

I followed the instructions from (first example, with tunnel all configuration)

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html#anc7


I can not ping or access the 10.10.30.99(Internal server) or 10.10.30.2 (ASA internal LAN) after connected VPN.

Could I please have some advice? Many thanks.


Here is the running config of the ASA firewall.

ciscoasa# sh run
: Saved

:
: Serial Number: xxxxxxx
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)
!
hostname ciscoasa
enable password $sha512$50004ioiVlAB1BL
names
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 218.255.1.106 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.30.2 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa992-lfbff-k8.SPA
ftp mode passive
clock timezone HKST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.10.30.64_27
subnet 10.10.30.64 255.255.255.224
object network obj-AnyConnectPool
subnet 192.168.10.0 255.255.255.0
object network obj-inside
subnet 10.10.30.0 255.255.255.0
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended deny icmp any any log inactive
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 inactive
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd inactive
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 inactive
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 inactive
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 inactive
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 inactive
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 inactive
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns inactive
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source dynamic any interface
!
object network obj-AnyConnectPool
nat (any,outside) dynamic interface
object network obj-inside
nat (any,outside) dynamic interface
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 218.255.1.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.10.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn ciscoasa.abc.com
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.10.30.2,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 40fc9a5c
xxxxxxxx 73ca6bab 69618806 7ff0968a 03c37684 24a4a7c9 b606a990 bcc2ec65
5d37bfc1 42eacde5 3272109f 71424c67 092d6e39 498a61dd 50808a38 9efd54c8
0ba188d6 0480712e 513c995c aed9c729 96164037 c6c08c8f 24b68d4b 61771c48
d4c22415 dec020f5 61466df8 e4cf6f93 6d2c4187 f7f9b35f 1b1f10ac 5c83b61b
c9eea529 dea832ca 782f6683 a2706287
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.30.0 255.255.255.0 inside
ssh timeout 5
ssh version 1 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy clientgroup internal
group-policy clientgroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value abc.com
dynamic-access-policy-record DfltAccessPolicy
username ssluser1 password kw4+a+2Xxxxxx2g== pbkdf2
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:78a07e18xxxxxxxxx8af60da
: end
nameif inside
security-level 100
ip address 10.10.30.2 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa992-lfbff-k8.SPA
ftp mode passive
clock timezone HKST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.10.30.64_27
subnet 10.10.30.64 255.255.255.224
object network obj-AnyConnectPool
subnet 192.168.10.0 255.255.255.0
object network obj-inside
subnet 10.10.30.0 255.255.255.0
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended deny icmp any any log inactive
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source dynamic any interface
!
object network obj-AnyConnectPool
nat (any,outside) dynamic interface
object network obj-inside
nat (any,outside) dynamic interface
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 218.255.1.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.10.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn ciscoasa.abc.com
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.10.30.2,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 40fc9a5c
308202cc xxxxxxxx
44a4b468 2cc4ddb1 5b2a6b7d 56217bb8 96b15c79 b183ac2e 782b045d 60359ed6
c9eea529 dea832ca 782f6683 a2706287
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.30.0 255.255.255.0 inside
ssh timeout 5
ssh version 1 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy clientgroup internal
group-policy clientgroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value abc.com
dynamic-access-policy-record DfltAccessPolicy
username ssluser1 password $sha512$5xxxxxxx$0DF98kw4+a+2XO4xxxxxxx
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:10ad9720axxxxxxx6bce
: end

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents