10-27-2011 12:01 PM
Hello ,
Im trying to use VPN Anyconnect client , but i can`t access my local network when im connected to the vpn , i can access the internet and my dmz , i already tried slipt tunnel , and nat exempt rules to access my inside net but no sucess .
So i have configured the the vpn client address pool to 172.20.240.0-172.20.240.10 , I dont know if thats what is causing the problems , but tried configuring using 10.10.10.0/24 but still the same . Besides i have no connectivty to the inside vlans everuthing is working just fine .
Any ideas ?
Solved! Go to Solution.
10-29-2011 02:05 AM
The VPN Client pool needs to be a unique subnet, so if 10.10.10.0/24 is a unique subnet, then it's good.
Secondly, add "management-access inside" on the ASA, and see if you can ping the ASA inside interface (172.20.0.2).
Lastly, check if your core switch has route for 10.10.10.0/24 towards the ASA inside interface (172.20.0.2).
11-03-2011 06:30 AM
Yes, it is possible.
Are you going to use your internal proxy server when you are using AnyConnect, or you just want to NAT the traffic using the ASA ip address?
If you are going to use proxy server, then I assume that it is an explicit proxy, and in that case, all you need to configure is the proxy server ip address/subnet in the split tunnel ACL.
However, if you don't want to use the proxy server,then you can disable split tunnel, and send all traffic through the VPN tunnel. If the ASA is providing the u-turn traffic to the Internet, then you would need to configure "same-security-traffic permit intra-interface", and also configure NAT for the VPN pool on the outside interface.
10-29-2011 02:05 AM
The VPN Client pool needs to be a unique subnet, so if 10.10.10.0/24 is a unique subnet, then it's good.
Secondly, add "management-access inside" on the ASA, and see if you can ping the ASA inside interface (172.20.0.2).
Lastly, check if your core switch has route for 10.10.10.0/24 towards the ASA inside interface (172.20.0.2).
10-31-2011 11:29 AM
Hi Jennifer thanks for your reply ,
The management access was already configured , and i using the 10.10.10.0/24 pool for the clients , so when use this pool i have no access to my dmz and no access to the inside net , but i can access (ping) ASA in 172.20.0.2 , the whole net under c6500 i have no access and i kind of need to access my proxy server at 172.20.0.45 .
For this test i did not configured split tunnels or no nat exempt rules .
Thanks in advance ,
Paulo
10-31-2011 11:36 AM
Almost forgot ,
the c6500 has a default route to 172.20.0.2
11-02-2011 10:19 AM
I manage to get this to work .... i configured a nat exemption in both ways source 10.10.10.0/24 and dest 172.16.0.0/12 and the other way around .... Everything is working fine except now that the internet access isnt working while connect using the anyconnect client , it works if i use split tunnel , but if use split tunnel my outgoing IP adress is my home's ISP , but the anyconnect clients need to surf the web using the IPs of my Institute . Is that possible ????
Tears ,
Paulo
11-03-2011 06:30 AM
Yes, it is possible.
Are you going to use your internal proxy server when you are using AnyConnect, or you just want to NAT the traffic using the ASA ip address?
If you are going to use proxy server, then I assume that it is an explicit proxy, and in that case, all you need to configure is the proxy server ip address/subnet in the split tunnel ACL.
However, if you don't want to use the proxy server,then you can disable split tunnel, and send all traffic through the VPN tunnel. If the ASA is providing the u-turn traffic to the Internet, then you would need to configure "same-security-traffic permit intra-interface", and also configure NAT for the VPN pool on the outside interface.
11-03-2011 07:30 AM
Ok Jennifer i'll try doing the "non-proxy" configuration , the "with proxy" one already worked !
Thanks a lot,
11-03-2011 03:51 PM
Hello Jennifer ,
Turns out you were right , add a dinamic NAT source VPNPOOL in outside interface and everything works ! Inside , dmz and outside conectivity .....
Thank You Jennifer
Tears ,
Paulo
03-02-2019 06:40 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: