cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
464
Views
0
Helpful
2
Replies

ASA 5505 AnyConnect Issues

metafiend
Level 1
Level 1

Hello All, 

I am writing this message in hopes to get things figured out with my Anyconnect deployment. Currently all of the users I have configured this for, including myself, are able to connect using the Anyconnect VPN client. We are able to pull and IP address from the VPN_DHCP Pool that is currently configured. However, once connected we are unable to ping or browse any of the remote networks. My current setup is as such. I have an ASA 5505 that is just a firewall at this point. All of my VLANS and routing is done on my Cisco SG-300 that is connected to my ASA 5505 via ethernet0/1(inside). I am not sure if I need a static route somewhere pointing my VPN Pool to my SG-300 or if there is a tiny setting somewhere that I am missing to get this working.

I have attached my current running-config for your review. Along with that I have my version information and sysopt commands that are currently enabled. All exterior(WAN)IP's have been masked for obvious reasons. 

Any help would be greatly appreciated. Thank you for reviewing in advance.

 

P.S. I am fairly new to Cisco and am not as familiar with routes as I'd like to be. So I apologize in advance if this is remedial. 

 

2 Replies 2

metafiend
Level 1
Level 1

I was able to figure it out. However, the fix is not making sense to me. In order for the VPN subnet to communicate with the internal networks I had to create a NAT rule that stated 

"nat (inside,any) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static VPN VPN"

 

Could someone explain to me why this was needed? I shouldn't of had to NAT anything. I simply stumbled onto this as I was all out of ideas. 

 

Thanks!

This is because when you have a dynamic nat in place for internet, VPN return traffic from LAN to VPN pool will also hit this unless exempted in an identity NAT or NAT exempt like you created above.

In your case, the dynamic nat is :

object network obj_any
 nat (inside,outside) dynamic interface

This doc may help understanding a bit more:

https://supportforums.cisco.com/document/44566/asa-83-nat-exemption-example-basic-l2l-vpn-and-basic-ra-vpn