Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
4
Replies

Unable to access internet and internal Subnets over Anyconnect

Go to solution
mahesh18
Level 6
Level 6

‎04-12-2014 06:05 PM - edited ‎03-11-2019 09:04 PM

 

 Hi Everyone,

 

I am using ASA ver 9.1 with anyconnect config for full tunnel access.

I am able to connect using Anyconnect fine.

I can access the inside network subnet 10.0.0.0 fine.

 

But i can not access internet websites and other network Sales which is ASA interface.

 

Internal Network is 10.0.0.x VPN pool is 10.10.10.x

Sales Network is 10.12.12.0

 

When i try to access google from PC log shows

Apr 12 2014 18:28:41: %ASA-6-302016: Teardown UDP connection 192674 for outside:10.10.10.10/54401(LOCAL\anyconnect_user) to outside:64.59.144.19/53 duration 0:02:08 bytes 180 (anyconnect_user)


when i try ping 4.2.2.2 from PC

Apr 12 2014 18:29:07: %ASA-6-302021: Teardown ICMP connection for faddr 10.10.10.10/1(LOCAL\anyconnect_user) gaddr 4.2.2.2/0 laddr 4.2.2.2/0 (anyconnect_user)

 

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-12-2014 08:22 PM

Hi Mahesh,

Do you have a nat(outside,outside) statement as is needed for hairpinning remote access VPN traffic to the Internet?

Please refer to the following thread for an example;

https://supportforums.cisco.com/discussion/11264941/asa-hairpinning-remote-vpn-users-84

You may also want to have a look at Paul Stewart's blog post on his site as he explains it nicely:

http://www.packetu.com/2013/04/02/cisco-asa-8-4-vpn-dealing-with-internet-hairpin-traffic/

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-13-2014 09:22 AM

Keep in mind your VPN clients are seen as outside addresses - even though you are assigning them a private IP address from your vpn_pool_ip.

So when your router is setup to access the Internet (outside) with the nat(inside,outside) statement you mentioned just now it will also first need a NAT exemption for the vpn_pool_ip.

We want to make sure it is at the top of the list (or at least precedes the dynamic NAT you setup already) so we would use the following statement in the configuration file:

nat (inside,outside) 1 source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static vpn_pool_ip vpn_pool_ip

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-12-2014 08:22 PM

Hi Mahesh,

Do you have a nat(outside,outside) statement as is needed for hairpinning remote access VPN traffic to the Internet?

Please refer to the following thread for an example;

https://supportforums.cisco.com/discussion/11264941/asa-hairpinning-remote-vpn-users-84

You may also want to have a look at Paul Stewart's blog post on his site as he explains it nicely:

http://www.packetu.com/2013/04/02/cisco-asa-8-4-vpn-dealing-with-internet-hairpin-traffic/

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-13-2014 07:25 AM

 

Hi Marvin.

 

After adding

nat (outside,outside) source dynamic vpn_pool_ip interface

i am able to ping internet websites while connected via anyconnect.

I have Router connected to ASA over inside interface.

ASA inside interface IP is 10.0.0.1

Router IP is 10.0.0.2

While connected via VPN i can ping and ssh to 10.0.0.2 as i have NAT config

nat (inside,outside) source static inside inside destination static inside inside

Is this config right?

 

But i can not ping internet websites from Router with above config.

 

If i add below config

    nat (inside,outside) 1 source dynamic NETWORK_OBJ_10.0.0.0_24 interface

Then router can ping the internet websites but  i can not ping 10.0.0.2 IP while on VPN.

 

Best Regards

Mahesh

 

 

 

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-13-2014 09:22 AM

Keep in mind your VPN clients are seen as outside addresses - even though you are assigning them a private IP address from your vpn_pool_ip.

So when your router is setup to access the Internet (outside) with the nat(inside,outside) statement you mentioned just now it will also first need a NAT exemption for the vpn_pool_ip.

We want to make sure it is at the top of the list (or at least precedes the dynamic NAT you setup already) so we would use the following statement in the configuration file:

nat (inside,outside) 1 source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static vpn_pool_ip vpn_pool_ip

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-13-2014 12:32 PM

 

It worked like Charm.

Best Regards Sir

 

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card