Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
0
Helpful
4
Replies

AnyConnect client (ASA interface A) can't connect to the Internet (ASA interface B)

Go to solution
Erik Qvam
Level 1
Level 1

‎11-22-2018 02:21 AM

Hi all,

 

 +----------------+                       +----------------+      +-----------+
 |                |                       | ASA 9          |      |           |
 | Client from    |                       |                |      | Intranet  |
 | "elsewhere"    | AnyConnect 4          |       10.0.0.1 +<---->+ Clients & |
 |                | (no split tunnel)     |                |      | Services  |
 | 192.168.222.11 +---------------------->+ 192.168.222.1  |      |           |
 |                |            172.16.0.2 |                |      +-----------+
 +----------------+         (pool-adress) |                |      
                                          |                |  AnyConnect 4
                                          |        a.b.c.d +<----------------> Internet
                                          |                | (hairpinning,
                                          +----------------+  no split tunnel)

 a) The topology is very simplified.
 b) Elsewhere-client need to connect to Intranet Services AND the Internet.
 c) Elsewhere-client connects via AnyConnect (all traffic must be tunneled through).
 d) Elsewhere-client can connect to Intranet Services.
 e) Elsewhere-client can't connect to the Internet.
 f) Intranet-client can connect to the Internet (via default route).
 g) Internet-client (via AnyConnect) can connect to Intranet services (and U-turn to the Internet).
 h) ASA packet-tracer states that elsewhere-client should be able to connect to the Internet.
 
 We obviously lack some basic understanding of routing/NAT. Any ideas for a possible solution?

 

Thank You,

Erik Qvam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-22-2018 04:50 AM

Do you have NAT/PAT from the "elsewhere"-interface to outside?

When using packet-tracer do not only look at the result, also look at the processing of NAT and usage of the right interfaces.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎11-22-2018 04:50 AM

Do you have NAT/PAT from the "elsewhere"-interface to outside?

When using packet-tracer do not only look at the result, also look at the processing of NAT and usage of the right interfaces.

0 Helpful

Go to solution
Erik Qvam
Level 1
Level 1
In response to Karsten Iwen

‎11-22-2018 05:04 AM

Hi karsten,

 

Thank you for the answer.

 

After my posting I started to think about NAT/PAT between "elsewhere" and "outside" and the answer is that it's forgotten. Should the NAT be with respect to the interface (192.168.222.0) or pool (172.16.0.0)?

 

brgd,

Erik

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Erik Qvam

‎11-22-2018 05:14 AM

The NAT/PAT has to be done based on the pool-addresses. These addresses are the ones the ASA has to use while processing the traffic.

0 Helpful

Go to solution
Erik Qvam
Level 1
Level 1
In response to Karsten Iwen

‎11-22-2018 05:19 AM

Thank you. I must wait until Monday before I can test the solution and give feedback.

0 Helpful
Customers Also Viewed These Support Documents