Solved: AnyConnect: Can't ping local hosts with NAT rules applied

NetworkStorm9000 · ‎11-10-2021

Hi,

I'm running a FirePower 1120 with ASA and AnyConnect VPN.

I have several VLAN which have different connection profiles. On the VLANs without any NAT rules, I can connect and ping all devices. On the VLANs which have NAT rules for connecting to the internet, I can't ping any of the devices. Presumably my rule catches my message and tries to send it to the "outside" interface. I've read about 'nat exeptions', but discovered that this is a deprecated function.

My VLAN profile locks the user to the specific VLAN, and has an IP address in the same subnet as the hosts would be in (192.168.11.0/24)

An image of my NAT rule is attached (the only NAT rule for the given VLAN). How can I make another rule or change this one to solve this problem?

Many thanks!

NetworkStorm9000 · ‎11-10-2021

Sorry, I can't recall, it was in the middle of a googling session.

However, I have fixed this problem, albeit unelegantly by making two IP ranges.

One is called lower-than-local and is everything under 172.0.0.0, the other is higher-than-local and is everything over 192.0.0.0.

This seems to work great, as long as I don't try to access any internet resources with IP between those two.

View solution in original post

Georg Pauwen · ‎11-10-2021

Hello,

I might have missed that, but where did you read that NAT exemptions have become deprecated ?

NetworkStorm9000 · ‎11-10-2021

Sorry, I can't recall, it was in the middle of a googling session.

However, I have fixed this problem, albeit unelegantly by making two IP ranges.

One is called lower-than-local and is everything under 172.0.0.0, the other is higher-than-local and is everything over 192.0.0.0.

This seems to work great, as long as I don't try to access any internet resources with IP between those two.

Georg Pauwen · ‎11-10-2021

Hello,

good workaround !