Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2556
Views
0
Helpful
11
Replies

AnyConnect using Windows DHCP server, but can't access LAN PC's?

abrrymnvette
Level 1
Level 1

ā€Ž10-02-2012 07:57 AM - edited ā€Ž02-21-2020 06:22 PM

I've got my AnyConnect setup to get an IP from our Windows DHCP server just fine. It grabs the IP, mask, and DNS just fine. But I can't ping any of the lan devices or do any DNS lookups. I need it to work this way since we have a ton of site-to-site's with remote offices and getting them all to adjust their firewalls to allow another subnet is a nightmare.

I have split-tunneling enabled. I'm sure it's a nonat command that I'm missing, but not sure what.

Before connecting to VPN:

Home user-------------------> ASA 5510 --------------> Office Lan

192.168.1.0/24                                                  10.10.1.1/24

After they connect to AnyConnect

Home user-------------------> ASA 5510 --------------> Office Lan

192.168.1.0/24                                                  10.10.1.1/24

10.10.1.45/24    

Labels:
0 Helpful
11 Replies 11

Harish Balakrishnan
Spotlight
Spotlight

ā€Ž10-02-2012 08:09 AM

Hello

is your VPN pool a part of your lan network ?

regards

Harish.

0 Helpful

Bill Rellergert
Level 1
Level 1
In response to Harish Balakrishnan

ā€Ž10-02-2012 08:12 AM

Yes. The office lan is 10.10.1.0/24

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Bill Rellergert

ā€Ž10-02-2012 08:36 AM

Hi Andy,

We do not recommend to have the  VPN pool in the same LAN network, but it should work though.

Do you have a NAT exempt to allow the VPN traffic from outside to inside and avoid the NAT translation from inside to outside?

Can you ping the inside interface of the ASA (make sure you have the "management-access" command in place)?

Thanks.

Portu.

Please rate any helpful posts.

0 Helpful

abrrymnvette
Level 1
Level 1
In response to Javier Portuguez

ā€Ž10-02-2012 08:59 AM

I can ping the inside interface of the firewall and get responses. I can PM you the config if you'd like. I don't want to post it on an open forum.

0 Helpful

Harish Balakrishnan
Spotlight
Spotlight
In response to Bill Rellergert

ā€Ž10-02-2012 08:51 AM

Hello Andy,

can you post the config

Harish

0 Helpful

abrrymnvette
Level 1
Level 1
In response to Harish Balakrishnan

ā€Ž10-02-2012 09:00 AM

Actually, I can't post the config. I can probably post a portion of it.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to abrrymnvette

ā€Ž10-02-2012 09:07 AM

Hi,

I can see you opened a TAC case for this same problem.

Do you want to keep working on this one?

Thanks.

0 Helpful

abrrymnvette
Level 1
Level 1
In response to Javier Portuguez

ā€Ž10-02-2012 09:10 AM

I'll leave it open for now until it gets resolved with the TAC case. Once it gets fixed, I'll post the resolution in case others need it if they have the problem in the future.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to abrrymnvette

ā€Ž10-02-2012 09:15 AM

Sounds good.

Its a shame I did not see it before, otherwise I would take ownership

Keep us posted.

Portu.

0 Helpful

abrrymnvette
Level 1
Level 1

ā€Ž10-04-2012 06:40 AM

All I was missing was the command to not nat the traffic. Just needed to add

access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.10.1.0 255.255.255.0

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to abrrymnvette

ā€Ž10-05-2012 05:43 AM

Great!

Please close this post.

Thanks for sharing your findings.

Have a nice day.

0 Helpful
Customers Also Viewed These Support Documents