Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
0
Helpful
5
Replies

Problems VPN ASA access

niLuxx
Level 1
Level 1

‎01-16-2019 10:01 PM

Dear community,

 

one of my companies ordered a ASA 5506-X few weeks ago. I'm currently doing the initial configuration and wanted to set up a Client-2 Site VPN connection with access to ASDM/CLI of the ASA. 

The VPN is working, nevertheless I do not have access to ASDM or CLI. I already set up NAT rules:

 

nat (outside,outside) source dynamic VPN interface
nat (inside_1,outside) source static internal_networks internal_networks destination static VPN  VPN  no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface

 

VPN means my VPN-client IP address.

 

The general setup is:

INTERNET <=> ASA <=> Layer-3-Switch

The management-port of the ASA is connected to the Layer-3-Switch behind the ASA and located in subnetwork 192.168.1.0/24.

 

Nevertheless my VPN client has no internet-access either - neither access to ASDM/CLI.

Any ideas?

 

Best regards,

niLuxx

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎01-16-2019 10:22 PM

The VPN is working, nevertheless I do not have access to ASDM or CLI. I already set up NAT rules:

 

Couple of question to clarify the problem :

 

When you say VPN working, how did you verfied it is working ?

which ASDM you do not have access local or remote ?

 

Can you post both the side configuration to understand config and suggestion, (most cases if the VPN UP you may have ACL issue or routing issue here).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

niLuxx
Level 1
Level 1
In response to balaji.bandi

‎01-16-2019 10:42 PM

Hello,

 

regarding your questions:

When you say VPN working, how did you verfied it is working 

=> I can connect to VPN endpoint via AnyConnect Client. My laptop also got correct IP, Subnetmask, Gateway, etc.

 

> which ASDM you do not have access local or remote ?

=> I'm not sure if I understand you correctly. I can connect to ASDM/CLI when I'm onsite and connect via cable to the Layer-3-Switch

=> I do not have access to ASDM/CLI after establishing the VPN connection via AnyConnect

 

What exactly do you need out of the config? I want to avoid posting the config on a public thread...

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to niLuxx

‎01-16-2019 10:52 PM - edited ‎01-16-2019 10:53 PM

Ok So when you connect to using your Laptop using cisco Any connect, you able to establish the VPN connection.

But you are not able to access any resources like ASDM / or internal LAN resources, if this is correct.

 

So you need to check the ACL here for the IP pool allocated for VPN user.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

niLuxx
Level 1
Level 1
In response to balaji.bandi

‎01-16-2019 10:57 PM

Exactly :-)

Regarding ACL. I thought the same, but I already have these entries here

 

1. access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
2. access-list AnyConnect_Client_Local_Print extended permit 137 any4 any4
3. access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

 

Wouldn't be the first entry enough?

 

Greetings,

niLuxx

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to niLuxx

‎01-16-2019 11:02 PM - edited ‎01-16-2019 11:03 PM

Can you remove confidentail information and post the configuration to have a review please. So best suggestion can be provided.

 

if not possible, please read the below thread.

 

https://community.cisco.com/t5/vpn-and-anyconnect/urgent-remote-access-vpn-users-connects-but-can-not-access/td-p/2853808

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents