cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3333
Views
0
Helpful
8
Replies

ASA 5505 8.2 AnyConnect - Cannot access and INSIDE services

kbillingham
Level 1
Level 1

Hello,

I have configured AnyConnect to use a 10.0.7.0/24 subnet for it's DHCP pool. I can connect to the ASA just fine, but I cannot access any internal services on my 10.0.5.0/24 subnet which is my INSIDE interface vlan subnet. I have setup a NAT exemption rule:

access-list inside_nat0_outbound line 2 extended permit ip 10.0.5.0 255.255.255.0 object-group Any-Connect-Pool-10-0-7-0

AnyConnect is configured to bypass all ACL rules via the sysopt connection permit-vpn.

I am not sure if I'm supposed to create another route back to the VPN subnet or what exactly. When I ping from my VPN subnet to a client on the INSIDE subnet I can see the ICMP traffic flowing through the FW but I get no reply. I am not using split-tunnleing and I cannot connect to the internet either after establishing a VPN connection.

Thanks in advance for help.

1 Accepted Solution

Accepted Solutions

Hi,

You will have to make sure that the following setting is enabled

same-security-traffic permit intra-interface

You will also have to make sure you have Dynamic PAT configured for your VPN Pool

If your current Dynamic PAT for internal users would be

global (outside) 1 interface

nat (inside) 1 10.0.5.0 255.255.255.0

Then you would need to add

nat (outside) 1 10.0.7.0 255.255.255.0

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Have you tried to ICMP multiple different hosts behind the "inside" interface? Have you tried to ICMP network devices behind "inside" interface? Have you confirmed that there is no software firewall causing problems on hosts?

Are you using the command "management-access inside" which should enable anyconnect hosts to ICMP to the "inside" interface IP address?

Is there a router behind the ASA which might cause problems with forwarding the return traffic?

Have you tried any TCP based connections from Client to internal hosts?

- Jouni

Jouni,

Thanks for the reply. I just tried to browse to an internal webserver and that worked. Why would ICMP packets not be returning back through the FW? I am pinging an internal fileserver.

Also, what do I need to do to allow http/https traffic through the VPN tunnel? I would prefer not to use a split tunnel.

Hi,

The default setting on an ASA firewall is that all traffic from behind a VPN connection is allowed to bypass interface ACL of the interface to which the VPN Connection is formed to.

You can check this setting by issuing

show run all sysopt

You should see

sysopt connection permit-vpn

If its set to its default. The format with "no" in front would mean that all traffic would need to be allowed in the interface ACL.

So if you are using Full Tunnel mode VPN Client at the moment and the above setting is at its default then ASA should not be blocking the connections and connections like http/https should work just fine.

Also the ICMP should not be blocked by the ASA. You can always check that you have ICMP Inspection enabled but I am not sure if it applies to this situation

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

I would check for the possibility that the hosts/server are set to block ICMP but are allowed to send ICMP and receive reply to those.

- Jouni

OK - Thanks Jouni. I ran the show run all sysopt and got these results:

show run all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp inside

no sysopt noproxyarp outside

no sysopt noproxyarp dmz

As far as I can read it HTTP/HTTPS traffic should not be blocked. Is that correct?

Hi,

As far as I know all UDP/TCP/ICMP traffic should be allowed from the Client to the hosts/servers.

Naturally this is only considering what I have seen so far.

If you have been able to connect through the VPN to some internal Web server then it would seem to suggest the connectivity between VPN Client and internal network should be fine.

Naturally if something doesnt work it could be troubleshooted with the help of logging, packet-tracer and capturing packets on the ASA itself or on the hosts.

- Jouni

So I am still not able to access the internet from an AnyConnect VPN client with IP address 10.0.7.5 on the /24 subnet. I can access internal services. When I do the packet trace I get an access list error:

Interface: Outside

Source IP Address: 10.0.7.5

Destination IP Address: 74.125.228.39 (Google)

Source Port: Tried Multiple including 32000

Destination Port: http

Route Lookup: Check

Access-List: Action Drop - Rule on Outside interface Any/Any IP Deny

I tried adding an access rule on the outside interface to allow all 10.0.7.0/24 traffic access out and in.

Any thoughts?

Hi,

You will have to make sure that the following setting is enabled

same-security-traffic permit intra-interface

You will also have to make sure you have Dynamic PAT configured for your VPN Pool

If your current Dynamic PAT for internal users would be

global (outside) 1 interface

nat (inside) 1 10.0.5.0 255.255.255.0

Then you would need to add

nat (outside) 1 10.0.7.0 255.255.255.0

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Jouni - Thanks for all of your help. Everything is working now

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: