01-16-2019 10:01 PM
Dear community,
one of my companies ordered a ASA 5506-X few weeks ago. I'm currently doing the initial configuration and wanted to set up a Client-2 Site VPN connection with access to ASDM/CLI of the ASA.
The VPN is working, nevertheless I do not have access to ASDM or CLI. I already set up NAT rules:
nat (outside,outside) source dynamic VPN interface
nat (inside_1,outside) source static internal_networks internal_networks destination static VPN VPN no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
VPN means my VPN-client IP address.
The general setup is:
INTERNET <=> ASA <=> Layer-3-Switch
The management-port of the ASA is connected to the Layer-3-Switch behind the ASA and located in subnetwork 192.168.1.0/24.
Nevertheless my VPN client has no internet-access either - neither access to ASDM/CLI.
Any ideas?
Best regards,
niLuxx
01-16-2019 10:22 PM
The VPN is working, nevertheless I do not have access to ASDM or CLI. I already set up NAT rules:
Couple of question to clarify the problem :
When you say VPN working, how did you verfied it is working ?
which ASDM you do not have access local or remote ?
Can you post both the side configuration to understand config and suggestion, (most cases if the VPN UP you may have ACL issue or routing issue here).
01-16-2019 10:42 PM
Hello,
regarding your questions:
> When you say VPN working, how did you verfied it is working
=> I can connect to VPN endpoint via AnyConnect Client. My laptop also got correct IP, Subnetmask, Gateway, etc.
> which ASDM you do not have access local or remote ?
=> I'm not sure if I understand you correctly. I can connect to ASDM/CLI when I'm onsite and connect via cable to the Layer-3-Switch
=> I do not have access to ASDM/CLI after establishing the VPN connection via AnyConnect
What exactly do you need out of the config? I want to avoid posting the config on a public thread...
01-16-2019 10:52 PM - edited 01-16-2019 10:53 PM
Ok So when you connect to using your Laptop using cisco Any connect, you able to establish the VPN connection.
But you are not able to access any resources like ASDM / or internal LAN resources, if this is correct.
So you need to check the ACL here for the IP pool allocated for VPN user.
01-16-2019 10:57 PM
Exactly :-)
Regarding ACL. I thought the same, but I already have these entries here
1. access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
2. access-list AnyConnect_Client_Local_Print extended permit 137 any4 any4
3. access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
Wouldn't be the first entry enough?
Greetings,
niLuxx
01-16-2019 11:02 PM - edited 01-16-2019 11:03 PM
Can you remove confidentail information and post the configuration to have a review please. So best suggestion can be provided.
if not possible, please read the below thread.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide