Buy or Renew
Buy or Renew
We are currently experiencing Knowledge Base board outages and are working to resolve. Thank you for your patience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
3
Replies

ASA 5506 / 9.6(1) - Anyconnect users cannot access internal network

bvihlidal
Level 1
Level 1

‎03-01-2018 08:26 AM - edited ‎02-21-2020 07:27 AM

I'm literally beating my head into a wall trying to figure what I'm missing here. User can terminate anyconnect client just fine,but cannot pass traffic through to the internal network. 

 

Very basic setup.

 

74.x.x.x static IP on outside interface. 

 

192.168.1.1/24 on inside interface

 

192.168.10.1-192.168.10.30 for VPN pool

 

Sanitized config attached. 

Labels:
Preview file
7 KB
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-01-2018 08:54 AM

On quick glance, your config looks correct. You seem to have the right NAT, split ACL's and rules in place.

 

I did notice that your internal network is 192.168.1.0/24. This is default DHCP network for a lot of home networks and routers. Is there any chance that this conflicts with your client machine ip address?

0 Helpful

bvihlidal
Level 1
Level 1
In response to Rahul Govindan

‎03-01-2018 10:10 AM

Thanks for the once over. I'd given that some thought as well, but had another user testing who swore up and down his LAN was using 192.168.0.x/24. I just changed my home LAN to use 192.168.50.0/24 and connected to this remote ASA. 

 

I can ping the inside interface 192.168.1.1, but no host on the LAN. I thought maybe they were simply not responding to ICMP, but I do get a echo-reply when initiating a ping from the inside interface of the ASA. Subsequent tests of other protocols, http/https to a WLAN AP on the local subnet (192.168.1.2), also fails. It is on the network, arp entry on the ASA and responds to imcp from the asa, so I know it is alive. 

 

Not sure what the heck is going on here. 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to bvihlidal

‎03-01-2018 12:10 PM

If you can ping 192.168.1.1 but not the others, might be something with the return path. Can you apply a packet capture on the inside interface when you attempt to ping the inside network? 

 

Example here:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

 

capture capi interface inside match ip host <vpn-ip> host <internal-ip>

 

Do a "show cap capi" to see any captured packets after that.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card