Showing results for 
Search instead for 
Did you mean: 

ASA VPN Access to Internal Network

Level 1
Level 1

We have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a address from the pool, but cannot access anything on the internal network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?

1 Accepted Solution

Accepted Solutions

Good, glad I can help here.

View solution in original post

8 Replies 8

Yudong Wu
Level 7
Level 7

Can you post your configuration?

In general, it is caused by mis-config on NAT or routing.

I'd rather not as this is quite a large configuration and I don't have time to change the publid IP addresses. You have the networks listed above and can use "inside" and "outside" for the interfaces. Can you just give me the "short answer", such as: the access rule should be xxx, the NAT ecemption should be yyy, and the routeing should be zzz. I'd really appreciate that as it would expand my understanding of this product. Thanx!

For nat bypass, it should look like the following

access-list nonat permit ip

nat (inside) 0 access-list nonat

You don't need permit this VPN traffic on outside interface since VPN traffic bypass interface ACL check automatically.

When vpn client is connected to ASA, a static route should be added automatically in routing table. But you need make sure the internal host should forward the traffic to vpn client 10.10.10.x to the ASA.

OK, I understand (and have implemented) the access-list and the nat statements. By "But you need make sure the internal host should forward the traffic to vpn client 10.10.10.x to the ASA", I'm assuming that you mean that the default gateway for internal hosts should be the IP of the inside interface - and it is. I still can't get the VPN client to connect to an internal host, however. Any suggestions? Thanx!

Ok, do a packet capture on the inside interface,

access-list capin permit ip host 10.10.10.x host 10.10.20.x

access-list capin permit ip host 10.10.20.x host 10.10.10.x

capture in access-list capin interface inside

then initiate the traffic from client to server, and use "show capture capin" to see if you can see the traffic in both directions.

By the way, is there any FW on your server which might block the access from vpn client?

I set up and looked at the captures and only saw inbound traffic from the client. That will cause the issue, but what do I need to do to allow the VPN address pool access to the internal network? There is no firewall on the client nor on the server.

   1: 09:10:47.606490 > icmp: echo request
   2: 09:10:53.053982 > icmp: echo request
   3: 09:10:58.543154 > icmp: echo request
   4: 09:11:04.045407 > icmp: echo request

As I'm working with a test ASA, using a different IP for the inside interface, I will try to configure a device on the inside network with a default gateway of the test ASA to see if that works. If that works, then I can set up the production ASA the same way as all devices use that inside IP as their default gateway.

Eureka! I set up an internal machine with the default gateway of the test ASA and it worked - that was really dumb of me not to remember that the internal devices do not know the test ASA's IP to use as a default gateway! Thanx for all your help - it rerranged my thinking.

   1: 09:23:07.826876 > icmp: echo request
   2: 09:23:07.827914 > icmp: echo reply
   3: 09:23:08.875687 > icmp: echo request
   4: 09:23:08.876663 > icmp: echo reply
   5: 09:23:09.850419 > icmp: echo request
   6: 09:23:09.851365 > icmp: echo reply
   7: 09:23:10.836626 > icmp: echo request
   8: 09:23:10.837511 > icmp: echo reply

Good, glad I can help here.