Solved: Re: AnyConnect users cannot reach inside network and ASA?

samhopealpha · ‎08-16-2013

Here is the envirnoment

Firewall : ASA5510 9.1(2)

ASDM : 7.1

Firewall IP : 192.168.88.1

Office Inside network : 192.168.88.x

AnyConnect VPN : 172.16.89.x

Result #1:

Office user can

- access the Internet

- access to VPN User's computer

- access to ASA firewall

Result #2:

VPN user can

- access the inside network

- access the Internet

- cannot ping/access inside network's computer

- cannot ping/access the ASA firewall

Anybody could help where should I need to check?

Attached with the ASA configuration

Thanks in advance

Sam

Karsten Iwen · ‎08-16-2013

How do you test it?

For Ping you should add the ICMP-Inspection:

policy-map global_policy

class inspection_default

inspect icmp

And what is the difference between

Result #2:

VPN user can

- access the inside network

- cannot ping/access inside network's computer

And I forgot to mention that the nat-exemption has to be inserted *above* the other nat-statements:

nat 1 (inside,outside) source ...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Jouni Forss · ‎08-16-2013

Hi,

For management through the VPN you should probably use the "inside" interface IP address by inserting the following command

management-access inside

Then you should be able to connect to the "inside" IP address from VPN provided that the other configurations allow it.

- Jouni

View solution in original post

Karsten Iwen · ‎08-16-2013

there is no nat-exemption for your vpn:

nat (inside,outside) source static INSIDE-88 INSIDE-88 destination static VPN-89 VPN-89 no-proxy-arp route-lookup description NAT-Exempt for VPN

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

samhopealpha · ‎08-16-2013

NAT added, but still the same result

Karsten Iwen · ‎08-16-2013

How do you test it?

For Ping you should add the ICMP-Inspection:

policy-map global_policy

class inspection_default

inspect icmp

And what is the difference between

Result #2:

VPN user can

- access the inside network

- cannot ping/access inside network's computer

And I forgot to mention that the nat-exemption has to be inserted *above* the other nat-statements:

nat 1 (inside,outside) source ...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

samhopealpha · ‎08-16-2013

Thanks Karsten~ after the NAT has been moved to the above, VPN user can ping and access the inside network's computer now,

But the ASA firewall still cannot be accessed by VPN user.

For the ICMP-inspection, seems there is no big difference between turning it ON or OFF

Jouni Forss · ‎08-16-2013

Hi,

For management through the VPN you should probably use the "inside" interface IP address by inserting the following command

management-access inside

Then you should be able to connect to the "inside" IP address from VPN provided that the other configurations allow it.

- Jouni

samhopealpha · ‎08-16-2013

Thanks everybody!! all problems resolved !