04-04-2019 01:20 AM - edited 04-04-2019 02:12 AM
Hi All,
I have searched and attempted to troubleshoot the issue but still no luck , Hoping some more experienced folks can help out ,
All of this is on a Home Test network.
I configured the VPN AnyConnect to access my home network , Used Split tunnelling - got connected with the assigned pool all ok but I cannot access my internal network at home , I added the management-access inside command which enabled me to ping the inside network interface gateway but nothing else ...
is there anything else I am missing ? maybe I need to configure an ACL as I'm using split tunnelling? but I am unsure the right ACL to be configured?
running config:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password sNVGYXTNm97n48wB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Manage
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
!
<--- More --->
ftp mode passive
same-security-traffic permit inter-interface
object network Permit_Lan_IP
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_26
subnet 192.168.250.0 255.255.255.192
object network inside
subnet 192.168.1.0 255.255.255.0
object network pool
subnet 192.168.250.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list 10 standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Manage 1500
ip local pool pool 192.168.250.1-192.168.250.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
<--- More --->
arp timeout 14400
!
object network Permit_Lan_IP
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Manage
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
<--- More --->
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa.null,O=Rush,C=UK
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate ee55a25c
308202d4 308201bc a0030201 020204ee 55a25c30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
<--- More --->
86f70d01 09021608 63697363 6f617361 301e170d 31393034 30313138 32343239
5a170d32 39303332 39313832 3432395a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b4
9289c4f5 0cdc8bf1 9bce3aaa 11498b72 b603f9b9 e58a1b38 e795a300 66fd99eb
e183a2ac 81e998d8 fd7c0333 2cd4108b 0a5ab89d e5f4a87f 827a9185 bdf689b9
25d877d7 35f01aae 684c58d8 cf5d8cab 9bf98a8c 9788d522 18a5b3cc 857bf695
103eaff8 7f022b19 4377d1e8 855734ca 994e6500 73dbd67a a6a70688 8897d18d
0481b05b ff67f992 37e8cdb4 86da7e16 893e640e bfafb6ef 93918986 baa2e60c
bb5120c6 e403e47b 0c78927f c25d1826 63c1c82c e7104d9e 13ae1b11 05c9b360
d20bb25b ea4a8652 b14b7590 13394b47 778c43e7 40ac5c2a 67e3a5a4 f3fd2a2b
d4614101 2c3c24a6 ae5c0084 b7b564c4 56d1ef53 eb59a718 57f6743f 3e298702
03010001 300d0609 2a864886 f70d0101 05050003 82010100 982d21e7 18e535ce
8b8295e5 4e99269a a8451268 dec0dbfc 7f1b5198 4af8c293 85633883 2dd03a5e
9b9fe2aa 9c455788 de135890 6f1b9f9c 103aa30a b998c1eb 046c3ff5 85be6a6e
5288a75a d08062d9 f4e2df2e 352d773f db4a7e57 6ca18e5f 88ccc522 1a435528
6bafc001 ffc78294 f6e49bc1 218d697c 87e8006c 25bb1ccc 76b2df87 da3f7aac
9d378d75 769e0760 43532a92 d7f7f0af b64f2c94 27a3c4d8 74d8181d 089c7c66
cb8b9435 0040b8f5 e6a899f4 e1b4176e 769add02 5a7a74d3 b6ed422b c2d03ce3
0b0aaa54 b90bd778 8b75c69c 50c58897 cb8bceac 04c50b16 cd5ec6e2 d7ddd99b
b9328ab8 bcc5b1c6 720496b1 9da321d3 8fb5b6ad 9f29ac0e
quit
crypto ikev2 policy 1
encryption aes-256
<--- More --->
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
<--- More --->
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
<--- More --->
anyconnect image disk0:/anyconnect-macos-4.4.01054-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 4
anyconnect profiles Home_client_profile disk0:/Home_client_profile.xml
anyconnect profiles Rush_client_profile disk0:/Rush_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Home internal
group-policy GroupPolicy_Home attributes
wins-server none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 10
default-domain none
webvpn
anyconnect profiles value Home_client_profile type user
username Rush password wtb6igjZWtCLWRft encrypted
username Rush password VRA13ZzEzDp8PnFO encrypted
tunnel-group Home type remote-access
tunnel-group Home general-attributes
address-pool pool
default-group-policy GroupPolicy_Home
tunnel-group Home webvpn-attributes
group-alias Home enable
!
<--- More --->
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
<--- More --->
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method httpA
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 26
subscribe-to-alert-group configuration periodic monthly 26
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2594791be0e41bc1bd142612ed137d88
: end
Solved! Go to Solution.
04-04-2019 11:23 AM
04-04-2019 04:05 AM
You may need a "No NAT" for the Anyconnect Pool and your internal addressing. I see there is currently a PAT setup.
Try adding the following -
nat (inside,outside) source static Permit_Lan_IP Permit_Lan_IP destination static pool pool
04-04-2019 05:41 AM - edited 04-04-2019 05:55 AM
Hi Sorry I had made some changes on the config .. just the vpn pool ip changed to avoid some confusion ..
but when I issued your command it said doesn't match an existing object or object-group ... here is the new config:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password sNVGYXTNm97n48wB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More ---> interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Manage
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
!
<--- More ---> ftp mode passive
same-security-traffic permit inter-interface
object network Permit_Lan_IP
subnet 192.168.1.0 255.255.255.0
object network inside
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.16.1.0_27
subnet 10.16.1.0 255.255.255.224
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list Internal standard permit 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Manage 1500
ip local pool pool 10.16.1.1-10.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
<--- More ---> nat (inside,outside) source static any any destination static NETWORK_OBJ_10.16.1.0_27 NETWORK_OBJ_10.16.1.0_27 no-proxy-arp route-lookup
!
object network Permit_Lan_IP
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Manage
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
<--- More ---> crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
<--- More ---> enrollment terminal
subject-name CN=ciscoasa.null,O=Rush,C=UK
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate ee55a25c
308202d4 308201bc a0030201 020204ee 55a25c30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31393034 30313138 32343239
5a170d32 39303332 39313832 3432395a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b4
9289c4f5 0cdc8bf1 9bce3aaa 11498b72 b603f9b9 e58a1b38 e795a300 66fd99eb
e183a2ac 81e998d8 fd7c0333 2cd4108b 0a5ab89d e5f4a87f 827a9185 bdf689b9
25d877d7 35f01aae 684c58d8 cf5d8cab 9bf98a8c 9788d522 18a5b3cc 857bf695
103eaff8 7f022b19 4377d1e8 855734ca 994e6500 73dbd67a a6a70688 8897d18d
0481b05b ff67f992 37e8cdb4 86da7e16 893e640e bfafb6ef 93918986 baa2e60c
bb5120c6 e403e47b 0c78927f c25d1826 63c1c82c e7104d9e 13ae1b11 05c9b360
d20bb25b ea4a8652 b14b7590 13394b47 778c43e7 40ac5c2a 67e3a5a4 f3fd2a2b
d4614101 2c3c24a6 ae5c0084 b7b564c4 56d1ef53 eb59a718 57f6743f 3e298702
03010001 300d0609 2a864886 f70d0101 05050003 82010100 982d21e7 18e535ce
<--- More ---> 8b8295e5 4e99269a a8451268 dec0dbfc 7f1b5198 4af8c293 85633883 2dd03a5e
9b9fe2aa 9c455788 de135890 6f1b9f9c 103aa30a b998c1eb 046c3ff5 85be6a6e
5288a75a d08062d9 f4e2df2e 352d773f db4a7e57 6ca18e5f 88ccc522 1a435528
6bafc001 ffc78294 f6e49bc1 218d697c 87e8006c 25bb1ccc 76b2df87 da3f7aac
9d378d75 769e0760 43532a92 d7f7f0af b64f2c94 27a3c4d8 74d8181d 089c7c66
cb8b9435 0040b8f5 e6a899f4 e1b4176e 769add02 5a7a74d3 b6ed422b c2d03ce3
0b0aaa54 b90bd778 8b75c69c 50c58897 cb8bceac 04c50b16 cd5ec6e2 d7ddd99b
b9328ab8 bcc5b1c6 720496b1 9da321d3 8fb5b6ad 9f29ac0e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
<--- More ---> group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
<--- More ---> crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
<--- More ---> crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
<--- More ---> crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
<--- More ---> crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
<--- More ---> ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.4.01054-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 4
anyconnect profiles Home_client_profile disk0:/Home_client_profile.xml
anyconnect profiles Rush_client_profile disk0:/Rush_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
split-tunnel-network-list value NONAT
group-policy GroupPolicy_Home internal
group-policy GroupPolicy_Home attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal
default-domain none
webvpn
anyconnect profiles value Home_client_profile type user
<--- More ---> username Rush password wtb6igjZWtCLWRft encrypted
username Rushmach password VRA13ZzEzDp8PnFO encrypted
tunnel-group Home type remote-access
tunnel-group Home general-attributes
address-pool pool
default-group-policy GroupPolicy_Home
tunnel-group Home webvpn-attributes
group-alias Home enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
<--- More ---> inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 26
subscribe-to-alert-group configuration periodic monthly 26
<--- More ---> subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6b09bd746e4908adff634726c98d8b94
: end
ciscoasa(config)#
04-04-2019 06:25 AM
04-04-2019 06:59 AM
Username : Rush Index : 35
Assigned IP : 10.16.1.1 Public IP : 196.33.234.23
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AES128 Hashing : none SHA1
Bytes Tx : 10780 Bytes Rx : 5679
Group Policy : GroupPolicy_Home Tunnel Group : Home
Login Time : 14:09:38 UTC Thu Apr 4 2019
Duration : 0h:01m:26s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
That's the result and yes I can ping the inside GW from the client
04-04-2019 07:46 AM
Is the ASA the GW for the Inside traffic or is there another layer 3 device in between? Do your inside hosts know how to get back to the VPN Subnet?
How are you testing connectivity between the Anyconnect client and your inside network? Just ICMP?
04-04-2019 07:53 AM
Hi Yes one port is configured to be the GW inside interface on the ASA and no other layer3 devices just an unmanaged SW to go to my inside network server/PC ( which iam trying to get to -192.168.1.11)
Yes I am just trying to ping the GW from the AnyConnect client and that is successful.
Do your inside hosts know how to get back to the VPN Subnet? -- I don't think so .. should I create a NAT rule for that?
thanks a lot for you input so far :)
04-04-2019 08:12 AM
04-04-2019 11:07 AM
04-04-2019 11:23 AM
04-05-2019 12:19 AM
Hi Grant , late last night I added Access rule outside access in , ip,icmp service and re configured the VPN from scratch and its all working now … Really appreciate your time and it definitely helped me troubleshoot thanks a lot :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide