05-16-2022 01:50 PM
Hello little bit of a newbie when it comes to Cisco ASA and setting up the VPN but I have it configured but not able to ping anything internally. Please advise if you need to see my config I will be happy to provide it.
Solved! Go to Solution.
05-19-2022 08:30 AM
Friend you attach this config and I don't see the POOL ??
may be I am wrong
05-17-2022 07:31 AM
Few Things missing here:
1. Your Split tunnel does not appear to be correct because:
a. Your anyconnect pool is 192.168.15.0/24 and you are using the same subnet in the split tunnel, it actually should be the destination subnets that you need to access over vpn, fox example : access-list Split-Tunnel standard permit 10.0.0.0 255.0.0.0
2. You do not have the NAT to allow the VPN pool subnet to access internal resources, for example you need something like this:
nat (outside,inside) source static obj-AnyConnectPool obj-AnyConnectPool destination static internalSUBNETS internalSUBNETS no-proxy-arp route-lookup
3. I am not sure of your internal Network Topology but if there are some network behind another layer 3 devices, you may need to add the route to your anyconnect pool and redistribute it(this step depeneds on your topology as you do have a default route) but i would check that too
route outside 192.168.15.0 255.255.255.0 190.110.209 1 track 1
05-17-2022 03:31 PM
|
tunnel-group LifeShareVPN type remote-access tunnel-group LifeShareVPN general-attributes address-pool VPN_POOL_2 authentication-server-group ActiveDirectory default-group-policy GroupPolicy_LifeShareVPN tunnel-group LifeShareVPN webvpn-attributes group-alias LifeShareVPN enable |
group-policy GroupPolicy_LifeShareVPN internal group-policy GroupPolicy_LifeShareVPN attributes wins-server none dns-server value 172.22.45.115 172.22.45.116 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain value lifeshare.int |
webvpn port 444 enable outside http-headers hsts-server enable max-age 31536000 include-sub-domains no preload hsts-client enable x-content-type-options x-xss-protection content-security-policy anyconnect image disk0:/anyconnect-win-4.10.04071-webdeploy-k9.pkg 1 anyconnect enable tunnel-group-list enable cache disable error-recovery disable |
nat (inside,outside) 1 source static NETWORK_OBJ_172.22.45.0_24 NETWORK_OBJ_172.22.45.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup |
access-list Split-Tunnel standard permit 192.168.15.0 255.255.255.0<-remove access-list Split-Tunnel standard permit 172.22.45.0 255.255.255.0 |
there are two point one
one
push NAT with add number 1
second why you not remove the OLD ACL
do this and then do packet-tracer and share output here
05-18-2022 11:53 AM
@MHM Cisco World and @SinghRaminder I was able to determine with some help from Singh that this is boiling down to a ACL issue where I am missing an ACL.
05-18-2022 12:36 PM
So this issue is solved ?
05-18-2022 01:10 PM
@MHM Cisco World and @SinghRaminder no we are still look at which ACLs I am missing.
05-18-2022 01:57 PM
@chris.bias I sent you a message, check it
Thanks
05-18-2022 02:22 PM - edited 05-18-2022 02:22 PM
https://www.petenetlive.com/KB/Article/0001298
this link show you how do packet-tracer for Anyconnect.
share the output here we can find which ACL is drop the traffic.
please note that the Anyconnect must not be use.
05-19-2022 06:41 AM
@MHM Cisco Worldand @SinghRaminder here is the output
vpn# packet-tracer input inside icmp 172.22.45.13 8 0 192.168.15.10
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 12.190.110.209 using egress ifc outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.22.45.0_24 NETWORK_OBJ_172.22.45.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.15.10/0 to 192.168.15.10/0
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055e35b571b00 flow (NA)/NA
vpn#
05-19-2022 06:54 AM
vpn# packet-tracer input outside imp 192.168.15.10 8 0 172.22.45.13
05-19-2022 07:00 AM
@MHM Cisco World and @SinghRaminder see outpout:
vpn# packet-tracer input outside icmp 192.168.15.10 8 0 172.22.45.13
Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 3
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 4
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000055e35b57a40e flow (NA)/NA
vpn#
05-19-2022 07:04 AM
192.168.15.10 <- this IP use already use by one any connect host, try other IP from VPN pool NOT USE
05-19-2022 07:16 AM
@MHM Cisco World and @SinghRaminder see output:
vpn# packet-tracer input outside icmp 192.168.15.20 8 0 172.22.45.13
Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 3
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 4
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000055e35b57a40e flow (NA)/NA
vpn#
05-19-2022 07:29 AM
vpn# packet-tracer input outside tcp 192.168.15.20 12345 172.22.45.13 80
ICMP always headache in ASA, try tcp.
05-19-2022 07:31 AM
@MHM Cisco Worldsee the below output:
vpn# packet-tracer input outside tcp 192.168.15.20 12345 172.22.45.13 80
Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 3
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 4
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000055e35b57a40e flow (NA)/NA
vpn#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide