11-18-2013 02:47 PM - edited 03-11-2019 08:06 PM
NAT config:
access-list NAT-EXEMPT extended permit ip 10.0.0.0 255.255.255.0 VPN_Clients 255.255.255.0
access-list NAT-EXEMPT extended permit ip 10.0.100.0 255.255.255.0 VPN_Clients 255.255.255.0
access-list NAT-EXEMPT extended permit ip 10.0.50.0 255.255.255.0 VPN_Clients 255.255.255.0
nat (inside) 0 access-list NAT-EXEMPT
Here is also a breakdown of my static routing.
Symptoms:
Once I've VPN'ed in, I am unable to ping:
Client->firewall inside interface
ASA->Client address
Client->inside host
Weird thing....
I can ping the first SVI addresses as well as the uplink IP address on the 2811.
Notes:
Ping is enabled
Still doesnt work, even when allowing ip any any for testing
Nat control IS enabled, and I've implemented an exemption (as seen at the top).
Any ideas?
Solved! Go to Solution.
11-18-2013 07:57 PM
If you cannot ping the ASA internal interface you are probably missing management-access inside command
11-18-2013 04:16 PM
Hi,
I presume that there is an error in the picture since the ASA interface IP address and the router IP address facing the ASA are the same.
Are you saying that you can ping the 10.0.0.1 and 10.0.100.1 ?
If you can then have you checked the actual hosts for software firewall / Windows firewall settings?
Might need to see the rest of the ASA configurations to determine if there is anything in the configurations that might be a problem.
- Jouni
11-18-2013 05:29 PM
Woops! The ASA interface is the .1 and the 2811 is the .2.
I can ping the the 0.1 and the 100.1 just fine!
Windows firewall/settings have been disabled and the error is still there.
11-18-2013 07:54 PM
Most probably you are missing the routes on the router to reach the anyconnect addresses.
11-18-2013 07:55 PM
If you could post the show route of the ASA and of the router.
11-18-2013 07:56 PM
I just want to confirm the routing on the router, as you indicate that the default route points to the ASA
11-18-2013 07:57 PM
If you cannot ping the ASA internal interface you are probably missing management-access inside command
11-18-2013 10:53 PM
Jumora--Yep! I got that part solved and I was missing the command you just identified! Now I'm thinking this is not an ASA problem..but an issue with my 2811-which appears to have inter-vlan routing issue.
I've created a separate thread here...https://supportforums.cisco.com/message/4096135#4096135
Can ping the SVI, but if I try to ping a host in a different VLAN sourcing a separate VLAN...no worky
11-19-2013 09:01 AM
Kyle please rate Jouni and my assistance!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide