Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3488
Views
4
Helpful
3
Replies

Anyconnect VPN - allow ICMP

kvoelker2000
Level 1
Level 1

‎06-12-2013 07:43 PM - edited ‎02-21-2020 06:57 PM

I have an ASA 5520 with a remote access VPN setup via Anyconnect.

I can connect to the VPN sucessfully and access devices on the internal network, such as RDP, without a problem.  However I am unable to ping any device including machines I can make an RDP connection to. 

The network setup is as follows:

Two inside LANS which have open access between the two networks, including ICMP.  The remote access VPN is setup to DHCP a range of addresses on one of these networks.  I also have split-tunneling setup to secure access to these two networks. Nat exemption for the VPN clients.

Any suggestions appreciated.

Thanks,

Karl

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎06-12-2013 11:34 PM

Hi,

Well the most common reason usually for ICMP failing is

  • ICMP Inspection hasnt been enabled on the ASA or ICMP messages arent allowed in both directions
  • ICMP is being blocked by the local devices (PC/server) firewall or firewall software

These things can be comfirned easily by looking at the ASA configuration and/or doing packet capture on the ASA itself to confirm if the ASA sees any ICMP Echo reply from the LAN device towards the VPN Client user.

- Jouni

kvoelker2000
Level 1
Level 1
In response to Jouni Forss

‎06-13-2013 02:05 AM

Hi Jouni,

Thanks for the reply.

I will check to see if ICMP inspection is enabled but will this morning.  Would this be an issue only while connected to the VPN.  Clients physically connecte to either or the LANS are able to ping between networks and also to external destinations. I only find the lack of ICMP when a user is connected via Anyconnect VPN.

For testing I turned off all host based firewalls in order to completely rule that out.

Thanks,

Karl

0 Helpful

kvoelker2000
Level 1
Level 1
In response to kvoelker2000

‎06-14-2013 02:46 AM

Hi Jouni,

After I turned on ICMP inspection I did have partial success.

A user connects to the VPN and gets a 7.0/24 address.  Now that ICMP inspection is enabled this user can ping and make an RPC connection to any machine on the 1.0/24 network.  This previously had not been working.

What I would like is for the VPN user to have the same ability to ping and PRC to machines in the 7.0/24 network.  Does a seperate ACL need to be added to allow this?

For non-VPN users connected directly to either network they have the ability to ping each network.

Thanks for your help and any additional suggestion you may have.

Karl

0 Helpful
Top