cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
818
Views
5
Helpful
3
Replies

AnyConnect: Can't ping local hosts with NAT rules applied

Hi,

 

I'm running a FirePower 1120 with ASA and AnyConnect VPN.

 

I have several VLAN which have different connection profiles. On the VLANs without any NAT rules, I can connect and ping all devices. On the VLANs which have NAT rules for connecting to the internet, I can't ping any of the devices. Presumably my rule catches my message and tries to send it to the "outside" interface. I've read about 'nat exeptions', but discovered that this is a deprecated function.

 

My VLAN profile locks the user to the specific VLAN, and has an IP address in the same subnet as the hosts would be in (192.168.11.0/24)

 

An image of my NAT rule is attached (the only NAT rule for the given VLAN). How can I make another rule or change this one to solve this problem? 

 

Many thanks!

 

 

1 Accepted Solution

Accepted Solutions

Sorry, I can't recall, it was in the middle of a googling session.

However, I have fixed this problem, albeit unelegantly by making two IP ranges.

One is called lower-than-local and is everything under 172.0.0.0, the other is higher-than-local and is everything over 192.0.0.0.

This seems to work great, as long as I don't try to access any internet resources with IP between those two.

View solution in original post

3 Replies 3

Hello,

 

I might have missed that, but where did you read that NAT exemptions have become deprecated ?

Sorry, I can't recall, it was in the middle of a googling session.

However, I have fixed this problem, albeit unelegantly by making two IP ranges.

One is called lower-than-local and is everything under 172.0.0.0, the other is higher-than-local and is everything over 192.0.0.0.

This seems to work great, as long as I don't try to access any internet resources with IP between those two.

Hello,

 

good workaround !

Review Cisco Networking for a $25 gift card