Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
3
Replies

Anyconnect no remote local subnet intra connection

Kasper Mortensen
Level 1
Level 1

‎11-24-2015 05:04 AM - edited ‎02-21-2020 08:34 PM

I'm trying to set up an anyconnect vpn that's supposed to work by supplying access to a single remote local subnet where a couple of servers exist. I have the issue that there is no connection on the subnet. I connect with the VPN and get an IP but I can't ping anything and the log throws this description:  

6 Nov 24 2015 12:56:09 110002 10.5.x.123 1 Failed to locate egress interface for ICMP from Outside:10.5.x.123/1 to 10.5.x.1/0

I'm thinking it's either ACL or NAT missing or misconfiguration. Anyone with some more experience or knowledge able to find my mistake? 

ASA Version 9.1(5)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool ElevNet 10.5.x.100-10.5.x.150 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan y
!
interface Ethernet0/1
switchport access vlan x
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
description WAN
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif Outside
security-level 0
ip address 1x.2x.1.2x 255.255.255.248
!
interface Vlan y
management-only
nameif Management
security-level 100
ip address 10.x.10.x 255.255.255.0
!
interface Vlan x
nameif ElevInside
security-level 100
ip address 10.5.x.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.5.x.0_24
subnet 10.5.x.0 255.255.255.0
object network ElevNet
subnet 0.0.0.0 0.0.0.0
access-list Elev extended permit ip 10.5.x.0 255.255.255.0 1x.2x.1.2x 255.255.255.248
access-list Split_Tunnel remark Local_Elev_Lan
access-list Split_Tunnel standard permit 10.5.x.0 255.255.255.0
access-list Local_Lan_Access standard permit 10.5.x.0 255.255.255.0
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list ElevInside_access_in extended permit ip any any
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751-112.bin
no asdm history enable
nat (ElevInside,Outside) source dynamic any interface
access-group ElevInside_access_in in interface ElevInside
route Outside 0.0.0.0 0.0.0.0 1x.2x.1.2x 1
dynamic-access-policy-record DfltAccessPolicy
network-acl Elev
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.x.10.x 255.255.255.0 Management
http 10.5.x.0 255.255.255.0 Management
telnet 10.x.10.x 255.255.255.0 Management
vpn-addr-assign local reuse-delay 60
!
dhcpd address 10.5.x.100-10.5.x.150 ElevInside
dhcpd dns 8.8.8.8 8.8.4.4 interface ElevInside
dhcpd enable ElevInside
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 ElevInside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management vpnlb-ip
webvpn
enable Outside
enable ElevInside
anyconnect image disk0:/anyconnect-win-3.1.12020-k9.pkg 2
anyconnect profiles ElevVirker_client_profile disk0:/ElevVirker_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_ElevVirker internal
group-policy GroupPolicy_ElevVirker attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_Lan_Access
default-domain none
address-pools value ElevNet
webvpn
anyconnect profiles value ElevVirker_client_profile type user
vpn-group-policy GroupPolicy_ElevVirker
tunnel-group ElevVirker type remote-access
tunnel-group ElevVirker general-attributes
address-pool ElevNet
default-group-policy GroupPolicy_ElevVirker
tunnel-group ElevVirker webvpn-attributes
group-alias ElevVirker enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎11-24-2015 05:24 AM

Configure the following and try again:

policy-map global_policy
 class inspection_default
  inspect icmp

In addition to that you should consider upgrading your ASA to 9.1(6)10 as there are many bugs fixed.

0 Helpful

Kasper Mortensen
Level 1
Level 1
In response to Karsten Iwen

‎11-25-2015 06:34 AM

I upgraded and added the configuration, but it didn't fix the issue. Do I need a no nat rule like (Inside,Inside)?

0 Helpful

Karsten Iwen
VIP
VIP
In response to Kasper Mortensen

‎11-25-2015 07:20 AM

Yes, you need a nat-exemption for (ElevInside,Outside) in NAT-section 1. Your dynamic NAT-config should be moved to NAT-section 3. I missed that; unformatted config is always hard to read. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents