05-16-2022 01:50 PM
Hello little bit of a newbie when it comes to Cisco ASA and setting up the VPN but I have it configured but not able to ping anything internally. Please advise if you need to see my config I will be happy to provide it.
Solved! Go to Solution.
05-19-2022 09:55 AM - edited 05-19-2022 09:56 AM
This is normal. Since packet tracer command will look the ACL. But your actuall traffic will bypass the Outside ACL as you have sysopt permit vpn in your configuration.
Chris, check your routing. You need to fix that. Your return traffic is going to Sonic Wall which has nothing to do with what we have been presented with so far. I am.unable to. Understand your architecture and scenario here as where in the picture is ASA and Sonicwall?
At this moment we do not know the big picture. One thing you can do to test is add ip route 192.168.15.10 255.255.255.255 172.22.45.13 on device with ip 172.22.45.1
05-16-2022 01:58 PM
without see config we can know what is issue
BUT
do you config NAT exception ?
do you config right ACL for split reflect what ANYCONNECT POOL and INSIDE-LAN ?
05-16-2022 02:04 PM
05-16-2022 02:16 PM
access-list Split-Tunnel standard permit 192.168.15.0 255.255.255.0<- this must INSIDE that any connect can connect ?
the config is missing VPN POOL address ?
the since I don't know the VPN POOL subnet I could not sure If you config exception NAT or not.
05-17-2022 06:49 AM
@MHM Cisco World yes the IP scheme 192.168.15.0 255.255.255.0 need to be able to access internal resources. The VPN Pool should be the VPN POOL 2.
05-17-2022 07:21 AM
192.168.15.0 <- this is subnet of Inside or VPN Pool ?
I cannot see VPN pool in your config !!
05-17-2022 07:49 AM
@MHM Cisco World This is the VPN Pool --> 192.168.15.0
05-17-2022 08:07 AM - edited 05-17-2022 08:11 AM
that then not correct
in Split-acl standard ACL you must specify the INSIDE subnet not VPN POOL
Also you need NAT exception
nat (outside,inside) source static INSIDE INSIDE destination static VPN-POOL VPN-POOL no-proxy-arp route-lookup
05-17-2022 08:10 AM
@MHM Cisco World could you provide an example please?
05-17-2022 08:24 AM
Sure check this doc for Split tunnel.
05-17-2022 08:51 AM
Few Things missing here:
1. Your Split tunnel does not appear to be correct because:
a. Your anyconnect pool is 192.168.15.0/24 and you are using the same subnet in the split tunnel, it actually should be the destination subnets that you need to access over vpn, fox example : access-list Split-Tunnel standard permit 10.0.0.0 255.0.0.0
2. You do not have the NAT to allow the VPN pool subnet to access internal resources, for example you need something like this:
nat (outside,inside) source static obj-AnyConnectPool obj-AnyConnectPool destination static internalSUBNETS internalSUBNETS no-proxy-arp route-lookup
3. I am not sure of your internal Network Topology but if there are some network behind another layer 3 devices, you may need to add the route to your anyconnect pool and redistribute it(this step depeneds on your topology as you do have a default route) but i would check that too
route outside 192.168.15.0 255.255.255.0 190.110.209 1 track 1
05-17-2022 12:39 PM
@MHM Cisco Worldand @SinghRaminder so I made the changes but it still won't let me access any resources. See the updated config.
05-17-2022 01:45 PM
Few things here again:
1. provide the output of show run all sysopt
2. you do not need the highlighted line below
access-list Split-Tunnel standard permit 192.168.15.0 255.255.255.0
3. Provide the output of this command here, assuming ICMP is allowed
packet-tracer input <inside> icmp 172.22.45.11 8 0 192.168.15.55
4. Your NAT looks fine, tunnel-group and Group-Policy appears to be fine
5. can you make sure the routing is fine, that the subnets know how to reach other if 172.22.45.11 is behind another layer 3 device
6. I also see you have VPN address pool called VPN_POOL_2, can you make sure it has 192.168.15.0/24 subnet in it
05-17-2022 02:00 PM
@MHM Cisco Worldand @SinghRaminder I had to do the packet trace on the ASDM as it wouldn't let me on the command string see the attached results. Also the VPN_POOL_2 does have a subnet on it.
show run all sysopt:
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp isp2
no sysopt noproxyarp inside_port
no sysopt noproxyarp inside
no sysopt noproxyarp hvac
no sysopt noproxyarp nvr_warehouse
no sysopt noproxyarp voice
no sysopt noproxyarp physecvideo
no sysopt noproxyarp physecaccess
no sysopt noproxyarp physec_irms
05-17-2022 02:42 PM
You probably typed <inside>
This was for reference only as you need to type your internal interface which could be named as inside
I actually need to see the route lookup. Output, It's possible icmp is not allowed inside to outside.
I'm not sure if I can ask for WebEx but I can do a quick video chat with you and check your setup... Check your message if you are up for it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide