Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
0
Helpful
4
Replies

Anyconnect with the multiple Inside interfaces

peter.jevos
Level 1
Level 1

‎04-30-2016 02:12 AM - edited ‎02-21-2020 08:47 PM

Hi

I have configured Anyconnect on the Outside interface, and can reach the Inside network. However i cannot reach the other Inside_2 and more inner interfaces on the ASA.
Example:

Interface Name IP address Subnet mask Method
GigabitEthernet0/0 Outside 20.2.173.12 255.255.255.248 CONFIG
GigabitEthernet0/1 Inside 192.168.1.254 255.255.255.0 CONFIG
GigabitEthernet0/2 Inside_2 172.16.1.1 255.255.255.0 CONFIG
GigabitEthernet0/3 Inside_3 192.168.162.0 255.255.255.0 CONFIG

nat (Inside,Outside) source static any any destination static NETWORK_OBJ_Anyconnect NETWORK_OBJ_Anyconnect
nat (Inside_2,Outside) source static any any destination static NETWORK_OBJ_Anyconnect NETWORK_OBJ_Anyconnect  // this does not work


I also tried :

nat (Any,Outside) source static any any destination static NETWORK_OBJ_Anyconnect NETWORK_OBJ_Anyconnect

however i can reach only the address under Inside interface.

Many thanks

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-30-2016 02:12 PM

Have you got a split tunnel configured?

0 Helpful

peter.jevos
Level 1
Level 1
In response to Philip D'Ath

‎04-30-2016 02:54 PM

Yes, split tunnel is configured with standard ACL, where all necessary subnets are included

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to peter.jevos

‎04-30-2016 02:58 PM

Are there any ACL's which might be blocking the traffic?

0 Helpful

mibricen
Level 1
Level 1

‎04-30-2016 05:03 PM

Hello Peter,

May you test the no-proxy-arp and route-lookup commands on the nat line.

E.g.

nat (Any,Outside) source static any any destination static NETWORK_OBJ_Anyconnect NETWORK_OBJ_Anyconnect no-proxy-arp route-lookup

For reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html

Route-lookup:

For identity NAT in routed mode, determines the egress interface using a route lookup instead of using the interface specified in the NAT command. If you do not specify interfaces in the NAT command, a route lookup is used by default.

No-proxy-arp:

For static NAT, disables proxy ARP for incoming packets to the mapped IP addresses.

Also may you run a packet tracer command from both interfaces to check if the packet is dropped on the ASA by any reason:

packet-tracer input inside icmp "ip address from local host" 8 0 "ip address from remote host" detailed

packet-tracer input inside2 icmp "ip address from local host" 8 0 "ip address from remote host" detailed

Copy and compare them both checking for any difference.

Miguel

TAC VPN

0 Helpful
Customers Also Viewed These Support Documents