05-23-2016 01:54 PM - edited 02-21-2020 08:49 PM
I have configured an 5520 ASA running 9.1(3) for SSL anyconnect. I can connect with the anyconnect client, but I cannot access any networks on the inside of the asa. The config is attached. I have also created a static route to the VPN-POOL network on my main internal router pointing to the inside interface of this asa. Any ideas why I can't get to internal resources once connected?
05-23-2016 07:21 PM
Hi there,
Your split-tunnel ACL could be the problem. Can you confirm by going to one of your VPN connected computers, opening a command prompt, and typing route print?
Look for a route to the 10.0.0.0 255.0.0.0 network via your VPN-Pool gateway and interface. If that isn't there, replace your ACL with this:
access-list SplitTunnel extended permit ip object Inside any
Regards,
Tim
05-24-2016 08:57 AM
Thanks for the reply. Routes are on the VPN connected device always show up correctly, even with your correction, I cannot get to internal networks. See below for routes
Let me know if you can see anything else, but my config is rather basic, so I'm not sure what's going wrong here.
current split tunnel config:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.38.19.1 10.38.19.189 25
10.0.0.0 255.0.0.0 192.168.200.2 192.168.200.1 2
With corrected split-tunnel config above:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.38.19.1 10.38.19.189 25
10.0.0.0 255.0.0.0 192.168.200.2 192.168.200.1 2
=
05-24-2016 09:28 AM
Hi,
Are you able to ping the inside interface of the ASA ?
Add this command on the ASA:
management-access inside
Now use debug
Use
If you see pings reaching the ASA then use
cap asp type asp-drop all
Use cap asp | in <Anyconnect client IP>
This would make sure if the ASA is not dropping the traffic.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-24-2016 09:44 AM
management-access Inside was already in my config.
I cannot ping the inside interface of the ASA from the anyconnect client.
debug icmp trace shows no pings incoming.
sysopt command:
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp Inside
no sysopt noproxyarp Outside
05-24-2016 09:49 AM
Hi,
What do
If debug
access-list test permit
access-list test permit ip host <inside IP> host <Anyconnect ip>
cap capin access-list test interface inside
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-24-2016 10:19 AM
Thanks for the help, but sadly no difference in these tests.
I ran the following:
cap asp type asp-drop all
my anyconnect client is 192.168.200.1
I ran the following filter on the capture
sh capture asp | inc 192.168
It returns no packets. Without the filter, it returns a traffic hitting the inside interface from the inside and a couple other sources, but nothing from 192.168.
I also created the test ACLs above and ran the following:
access-list test permit ip host 192.168.200.1 host 10.113.0.204
access-list test permit ip host 10.113.0.204 host 192.168.200.1
cap capin access-list test interface inside
I began a ping from the anyconnect client to the Inside interface
the capture captures no traffic.
05-24-2016 11:05 AM
Hi,
That's weird.
That means client traffic is not even reaching the ASA.
Did you try using Anyconnect from any other PC/location ?
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-24-2016 11:07 AM
I was testing this through a public wifi network, I'll try it from home and couple other places tonight and let you know.
Thanks for all your help.
05-24-2016 05:36 PM
See reply above to Tim. I tried this from two other networks with the same result.
Traffic is reaching the ASA as verified with the show vpn-s any command, but it's just not passing through it.
Thanks again for your help, but I'm as confused as you are.
05-24-2016 11:12 AM
Hey,
Once connected to the VPN, can you go to the ASA and show me the output of "show vpn-s any" please? Are the Bytes TX/RX incrementing?
Do you have any other NAT statements that you didn't show in the config? If so, make sure the one you have there to exempt the VPN traffic is at the top of the list.
Also, I assume the router that has the route to the VPN-pool network pointing to the ASA is the only way your inside clients can get to the ASA? Just want to confirm everything has a route back.
Regards,
Tim
05-24-2016 05:32 PM
See below for show command. The tx/rx did not increment in the couple minutes I ran this command. I tried to ping and RDP to internal locations between show commands.
The full config is listed in my initial post. I purposely tried to make this as simple as possible, so I'm pretty confused at this point why it's not working.
This route is on the main router this ASA and all internal clients are using as a gateway:
ip route 192.168.200.0 255.255.255.0 10.113.0.204
show vpn-s any
Session Type: AnyConnect
Username : <username> Index : 28
Assigned IP : 192.168.200.1 Public IP : 98.193.26.3
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 11048 Bytes Rx : 6820
Group Policy : GroupPolicy_Local Tunnel Group : Local
Login Time : 00:20:01 UTC Wed May 25 2016
Duration : 0h:07m:46s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
05-24-2016 05:38 PM
Hi,
Are you even able to ping the inside IP of the ASA ?
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-24-2016 05:40 PM
No, I cannot ping the inside interface of the asa from the connected VPN client.
Do you think this has anything to do with the anyconnect client version? I am using an older client because I'm out of license period on this ASA. I am running a 3.1 client.
05-24-2016 05:41 PM
Hi,
That's the only thing I can think about.
It's an old version so if you could try using a newer client that would be great.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide