08-16-2013 12:33 AM - edited 03-11-2019 07:26 PM
Here is the envirnoment
Firewall : ASA5510 9.1(2)
ASDM : 7.1
Firewall IP : 192.168.88.1
Office Inside network : 192.168.88.x
AnyConnect VPN : 172.16.89.x
Result #1:
Office user can
- access the Internet
- access to VPN User's computer
- access to ASA firewall
Result #2:
VPN user can
- access the inside network
- access the Internet
- cannot ping/access inside network's computer
- cannot ping/access the ASA firewall
Anybody could help where should I need to check?
Attached with the ASA configuration
Thanks in advance
Sam
Solved! Go to Solution.
08-16-2013 12:58 AM
How do you test it?
For Ping you should add the ICMP-Inspection:
policy-map global_policy
class inspection_default
inspect icmp
And what is the difference between
Result #2:
VPN user can
- access the inside network
- cannot ping/access inside network's computer
And I forgot to mention that the nat-exemption has to be inserted *above* the other nat-statements:
nat 1 (inside,outside) source ...
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-16-2013 01:22 AM
Hi,
For management through the VPN you should probably use the "inside" interface IP address by inserting the following command
management-access inside
Then you should be able to connect to the "inside" IP address from VPN provided that the other configurations allow it.
- Jouni
08-16-2013 12:43 AM
there is no nat-exemption for your vpn:
nat (inside,outside) source static INSIDE-88 INSIDE-88 destination static VPN-89 VPN-89 no-proxy-arp route-lookup description NAT-Exempt for VPN
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-16-2013 12:53 AM
NAT added, but still the same result
08-16-2013 12:58 AM
How do you test it?
For Ping you should add the ICMP-Inspection:
policy-map global_policy
class inspection_default
inspect icmp
And what is the difference between
Result #2:
VPN user can
- access the inside network
- cannot ping/access inside network's computer
And I forgot to mention that the nat-exemption has to be inserted *above* the other nat-statements:
nat 1 (inside,outside) source ...
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-16-2013 01:19 AM
Thanks Karsten~ after the NAT has been moved to the above, VPN user can ping and access the inside network's computer now,
But the ASA firewall still cannot be accessed by VPN user.
For the ICMP-inspection, seems there is no big difference between turning it ON or OFF
08-16-2013 01:22 AM
Hi,
For management through the VPN you should probably use the "inside" interface IP address by inserting the following command
management-access inside
Then you should be able to connect to the "inside" IP address from VPN provided that the other configurations allow it.
- Jouni
08-16-2013 01:27 AM
Thanks everybody!! all problems resolved !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide