cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5923
Views
0
Helpful
8
Replies

Can't access inside net over VPN Any Connect Client

paulohenirque
Level 1
Level 1

Hello ,

Im trying to use VPN Anyconnect client , but i can`t access my local network when im connected to the vpn , i can access the internet and my dmz , i already tried slipt tunnel , and nat exempt rules to access my inside net but no sucess . Diagrama1.png           

So i have configured the the vpn client address pool to 172.20.240.0-172.20.240.10 , I dont know if thats what is causing the problems , but tried configuring using 10.10.10.0/24 but still the same . Besides i have no connectivty to the inside vlans everuthing is working just fine .

Any ideas ?

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

The VPN Client pool needs to be a unique subnet, so if 10.10.10.0/24 is a unique subnet, then it's good.

Secondly, add "management-access inside" on the ASA, and see if you can ping the ASA inside interface (172.20.0.2).

Lastly, check if your core switch has route for 10.10.10.0/24 towards the ASA inside interface (172.20.0.2).

View solution in original post

Yes, it is possible.

Are you going to use your internal proxy server when you are using AnyConnect, or you just want to NAT the traffic using the ASA ip address?

If you are going to use proxy server, then I assume that it is an explicit proxy, and in that case, all you need to configure is the proxy server ip address/subnet in the split tunnel ACL.

However, if you don't want to use the proxy server,then you can disable split tunnel, and send all traffic through the VPN tunnel. If the ASA is providing the u-turn traffic to the Internet, then you would need to configure "same-security-traffic permit intra-interface", and also configure NAT for the VPN pool on the outside interface.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

The VPN Client pool needs to be a unique subnet, so if 10.10.10.0/24 is a unique subnet, then it's good.

Secondly, add "management-access inside" on the ASA, and see if you can ping the ASA inside interface (172.20.0.2).

Lastly, check if your core switch has route for 10.10.10.0/24 towards the ASA inside interface (172.20.0.2).

Hi Jennifer thanks for your reply ,

The management access was already configured , and i using the 10.10.10.0/24 pool for the clients , so when use this pool i have no access to my dmz and no access to the inside net , but i can access (ping) ASA in 172.20.0.2 , the whole net under c6500 i have no access and i kind of need to access my proxy server at 172.20.0.45 .

For this test i did not configured split tunnels or no nat exempt rules .

Thanks in advance ,

Paulo

Almost forgot ,

the c6500 has a default route to 172.20.0.2

I manage to get this to work .... i configured a nat exemption in both ways source 10.10.10.0/24 and dest 172.16.0.0/12 and the other way around .... Everything is working fine except now that the internet access isnt working while connect using the anyconnect client , it works if i use split tunnel , but if use split tunnel my outgoing IP adress is my home's ISP , but the anyconnect clients need to surf the web using the IPs of my Institute . Is  that possible ????

Tears ,

Paulo

Yes, it is possible.

Are you going to use your internal proxy server when you are using AnyConnect, or you just want to NAT the traffic using the ASA ip address?

If you are going to use proxy server, then I assume that it is an explicit proxy, and in that case, all you need to configure is the proxy server ip address/subnet in the split tunnel ACL.

However, if you don't want to use the proxy server,then you can disable split tunnel, and send all traffic through the VPN tunnel. If the ASA is providing the u-turn traffic to the Internet, then you would need to configure "same-security-traffic permit intra-interface", and also configure NAT for the VPN pool on the outside interface.

Ok Jennifer i'll try doing the "non-proxy" configuration , the "with proxy" one already worked !

Thanks a lot,

Hello Jennifer ,

Turns out you were right , add a dinamic NAT source VPNPOOL in outside interface and everything works ! Inside , dmz and outside conectivity .....

Thank You Jennifer

Tears ,

Paulo

Can y write the command of enablind dynamic nat please?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: