Solved: Re: Anyconnect client can't ping gateway

gregbeifuss · ‎09-09-2009

I'm trying to implement anyconnect for some users in our organization. Once clients connect to VPN via. anyconnect, they can't access anything, including their default gateway (via ping). I'm not sure what I've done wrong, but am hoping that it's a quick fix someone can point out to me. It's a little frustrating as I had this working in the lab, but can't see any obvious errors.

VPN Pool: 192.168.200.0/24

inside ASA interface 192.168.2.1

Grateful for any help received,

Greg

:

ASA Version 8.2(1)

!

hostname asaoutsidedmz

enable password 123 encrypted

passwd 123 encrypted

names

!

interface Ethernet0/0

description link to ISP router / WAN

nameif outside

security-level 0

ip address x.x.x.235 255.255.255.224

!

interface Ethernet0/1

description internal LAN interface

shutdown

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

description DMZ interface

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup dmz

dns server-group DefaultDNS

domain-name cisco.com

access-list outside_access_in extended permit tcp any host x.x.x.232 eq www

access-list outside_access_in extended permit tcp any host x.x.x.234 eq ssh

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool SSLVPNDHCP 192.168.200.20-192.168.200.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (dmz) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz) 10 0.0.0.0 0.0.0.0

static (dmz,outside) x.x.x.232 192.168.2.18 netmask 255.255.255.255

static (dmz,outside) x.x.x.234 192.168.2.36 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.225 1

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server TACACS+ protocol tacacs+

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet timeout 5

console timeout 5

management-access inside

!

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

banner value SSL VPN Profile

vpn-simultaneous-logins 1

vpn-idle-timeout 30

vpn-tunnel-protocol l2tp-ipsec svc

webvpn

svc ask none default svc

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

username test11 password 123 encrypted privilege 0

username test11 attributes

service-type remote-access

tunnel-group SSLVPNTunnel type remote-access

tunnel-group SSLVPNTunnel general-attributes

address-pool SSLVPNDHCP

default-group-policy SSLVPN

tunnel-group SSLVPNTunnel webvpn-attributes

group-alias AgricorpVPN enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

prompt hostname context

: end

Todd Pula · ‎09-11-2009

A few things to look at. First, the e0/1 interface is shutdown in the above config so the connecting clients will not be able to reach devices on the "inside" of the ASA. Second, you do not have NAT 0 rules configured to exempt the return traffic from the LAN or DMZ towards the client IP pool.

View solution in original post

Todd Pula · ‎09-11-2009

A few things to look at. First, the e0/1 interface is shutdown in the above config so the connecting clients will not be able to reach devices on the "inside" of the ASA. Second, you do not have NAT 0 rules configured to exempt the return traffic from the LAN or DMZ towards the client IP pool.

gregbeifuss · ‎09-11-2009

Sorry, I should have been clearer. I'm only using the outside and DMZ interfaces. E0/1 (inside) is shut down by design, but I'll give the NAT rule a go.

jason.espino · ‎09-11-2009

Definitely setup the NAT exempt rule and setup an ACL to allow communication between the DMZ network and the anyconnect VPN user pool. Also, associate that ACL entry to the SSL VPN group-policy.

Something like the following:

access-list anyconnect-client 192.168.2.1 255.255.255.0 192.168.200.20 255.255.255.252

access-list anyconnect-client 192.168.2.1 255.255.255.0 192.168.200.24 255.255.255.254

group-policy SSLVPN attributes

banner value SSL VPN Profile

vpn-simultaneous-logins 1

vpn-idle-timeout 30

vpn-tunnel-protocol l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value anyconnect-client

The users are able to retrive an IP from the ip pool (SSLVPNDHCP) configured however, there is no rule to allow commucation between the DMZ network and the SSL user pool.

Hope the info helps out!

- Jason

gregbeifuss · ‎09-14-2009

I ended up issuing the following commands on the firewall which have helped the issue:

access-list no_nat_vpn extended permit ip host any 192.168.200.0 255.255.255.0

nat (dmz) 0 access-list no_nat_vpn