Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
5
Helpful
3
Replies

AnyConnect - Inside networks with Internet access can't be reached

Go to solution
G3000LEE
Level 1
Level 1

‎01-16-2022 11:10 AM

I have just configured Anyconnect on my 5506X which seems to be working fine apart from one issue.

 

All networks that have access to the internet through the ASA can't be accessed or ping when connected to AnyConnect.

Internet access is provided through the ASA using the "nat (inside,outside) dynamic interface" command. Split-Tunnel has also been configured.

 

All networks which don't have internet access can be reached and ping.

 

I have a feeling this is a NAT issue that I don't know how to resolve. Have tried Googling this issue but nothing has come up.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-16-2022 11:15 AM

@G3000LEE yes it's probably a NAT issue, the communication between the internal networks and the RAVPN IP pool network is likely being unintentially translated by the Dynamic PAT rules you have in place. You need a NAT exemption rule(s)

 

Define an object for the internal networks and the RAVPN pool, then create the NAT exemption rule - translating which basically ensures traffic between those networks is not translated. Example:

object network INTERNAL-LAN
 subnet 192.168.9.0 255.255.255.0
object network RAVPN
 subnet 192.168.10.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static INTERNAL-LAN INTERNAL-LAN destination static RAVPN RAVPN no-proxy-arp

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎01-16-2022 11:15 AM

@G3000LEE yes it's probably a NAT issue, the communication between the internal networks and the RAVPN IP pool network is likely being unintentially translated by the Dynamic PAT rules you have in place. You need a NAT exemption rule(s)

 

Define an object for the internal networks and the RAVPN pool, then create the NAT exemption rule - translating which basically ensures traffic between those networks is not translated. Example:

object network INTERNAL-LAN
 subnet 192.168.9.0 255.255.255.0
object network RAVPN
 subnet 192.168.10.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static INTERNAL-LAN INTERNAL-LAN destination static RAVPN RAVPN no-proxy-arp

HTH

Go to solution
G3000LEE
Level 1
Level 1
In response to Rob Ingram

‎01-18-2022 05:31 AM

I will give this a shot hopefully today/tomorrow and let you know the outcome.

 

Thanks

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-16-2022 11:25 AM

follow

0 Helpful
Customers Also Viewed These Support Documents