cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1146
Views
0
Helpful
7
Replies

Access Local resources with Anyconnect

Antkn33
Level 1
Level 1

I have an ASA 5505 running 9.2. I have Anyconnect working in that it establishes a connection and users can browse the Internet with split tunneling. However, they can't access internal servers, or even ping them. 

I suspect NAT but I am no expert and I have done some google-ing but most of the directions are written for a different version of IOS. 

I have attached the running config. The servers to be accessed are on the 192.168.1.x network. The VPN pool is on the 192.168.2.x network. 

Thanks. 

1 Accepted Solution

Accepted Solutions

Yes - when you ping the internal network your ASA inside address (on that same network) is the source address.

When your VPN clients attempt to reach resources there, their source address is 192.168.2.x. Unless the internal network hosts either default gateway to your ASA or their internal/other router has a static route (or dynamic route if you were running a routing protocol on the ASA which you are not in this case) to get to 192.168.2.0/27 via the ASA, return traffic will not make it back to the ASA. It will instead go to their default gateway and not establish (or complete) a connection (TCP) or flow (UDP or ICMP).

View solution in original post

7 Replies 7

Michael Muenz
Level 5
Level 5

Enable ASDM debugging and then you'll see if there are any issues with NAT.

Michael Please rate all helpful posts

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA configuration looks pretty good.

Have you set the ASA as your internal hosts' default route or otherwise told their default gateway to reach the VPN pool via the ASA inside address of 192.168.1.3?

They do have another router on the network, but I can't log in to it right not. 

I can ping the inside network from the inside interface of the ASA. Also, in the any connect client it show no secured routes and one unsecured - the internal network 192.168.1.x

 

Thanks

Yes - when you ping the internal network your ASA inside address (on that same network) is the source address.

When your VPN clients attempt to reach resources there, their source address is 192.168.2.x. Unless the internal network hosts either default gateway to your ASA or their internal/other router has a static route (or dynamic route if you were running a routing protocol on the ASA which you are not in this case) to get to 192.168.2.0/27 via the ASA, return traffic will not make it back to the ASA. It will instead go to their default gateway and not establish (or complete) a connection (TCP) or flow (UDP or ICMP).

I am going to check out their router tomorrow. But a thought occurred to me. They use 192.168.1.x for their internal network. I use that for my home and I realized I could ping 192.168.1.x addresses when connected to their VPN from home. However, they were addresses on my network, not their corporate network. 

This seems like it will be a problem for them if they also use that address scheme at home, correct?
 

Indeed it is a problem. Unless you get really fancy with NAT, you need to have unique network numbers at both ends.

Antkn33
Level 1
Level 1

That worked. Thanks