cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4624
Views
0
Helpful
8
Replies
Highlighted
Beginner

Can't access inside net over VPN Any Connect Client

Hello ,

Im trying to use VPN Anyconnect client , but i can`t access my local network when im connected to the vpn , i can access the internet and my dmz , i already tried slipt tunnel , and nat exempt rules to access my inside net but no sucess . Diagrama1.png           

So i have configured the the vpn client address pool to 172.20.240.0-172.20.240.10 , I dont know if thats what is causing the problems , but tried configuring using 10.10.10.0/24 but still the same . Besides i have no connectivty to the inside vlans everuthing is working just fine .

Any ideas ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

The VPN Client pool needs to be a unique subnet, so if 10.10.10.0/24 is a unique subnet, then it's good.

Secondly, add "management-access inside" on the ASA, and see if you can ping the ASA inside interface (172.20.0.2).

Lastly, check if your core switch has route for 10.10.10.0/24 towards the ASA inside interface (172.20.0.2).

View solution in original post

Highlighted

Yes, it is possible.

Are you going to use your internal proxy server when you are using AnyConnect, or you just want to NAT the traffic using the ASA ip address?

If you are going to use proxy server, then I assume that it is an explicit proxy, and in that case, all you need to configure is the proxy server ip address/subnet in the split tunnel ACL.

However, if you don't want to use the proxy server,then you can disable split tunnel, and send all traffic through the VPN tunnel. If the ASA is providing the u-turn traffic to the Internet, then you would need to configure "same-security-traffic permit intra-interface", and also configure NAT for the VPN pool on the outside interface.

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

The VPN Client pool needs to be a unique subnet, so if 10.10.10.0/24 is a unique subnet, then it's good.

Secondly, add "management-access inside" on the ASA, and see if you can ping the ASA inside interface (172.20.0.2).

Lastly, check if your core switch has route for 10.10.10.0/24 towards the ASA inside interface (172.20.0.2).

View solution in original post

Highlighted

Hi Jennifer thanks for your reply ,

The management access was already configured , and i using the 10.10.10.0/24 pool for the clients , so when use this pool i have no access to my dmz and no access to the inside net , but i can access (ping) ASA in 172.20.0.2 , the whole net under c6500 i have no access and i kind of need to access my proxy server at 172.20.0.45 .

For this test i did not configured split tunnels or no nat exempt rules .

Thanks in advance ,

Paulo

Highlighted

Almost forgot ,

the c6500 has a default route to 172.20.0.2

Highlighted

I manage to get this to work .... i configured a nat exemption in both ways source 10.10.10.0/24 and dest 172.16.0.0/12 and the other way around .... Everything is working fine except now that the internet access isnt working while connect using the anyconnect client , it works if i use split tunnel , but if use split tunnel my outgoing IP adress is my home's ISP , but the anyconnect clients need to surf the web using the IPs of my Institute . Is  that possible ????

Tears ,

Paulo

Highlighted

Yes, it is possible.

Are you going to use your internal proxy server when you are using AnyConnect, or you just want to NAT the traffic using the ASA ip address?

If you are going to use proxy server, then I assume that it is an explicit proxy, and in that case, all you need to configure is the proxy server ip address/subnet in the split tunnel ACL.

However, if you don't want to use the proxy server,then you can disable split tunnel, and send all traffic through the VPN tunnel. If the ASA is providing the u-turn traffic to the Internet, then you would need to configure "same-security-traffic permit intra-interface", and also configure NAT for the VPN pool on the outside interface.

View solution in original post

Highlighted

Ok Jennifer i'll try doing the "non-proxy" configuration , the "with proxy" one already worked !

Thanks a lot,

Highlighted

Hello Jennifer ,

Turns out you were right , add a dinamic NAT source VPNPOOL in outside interface and everything works ! Inside , dmz and outside conectivity .....

Thank You Jennifer

Tears ,

Paulo

Highlighted

Can y write the command of enablind dynamic nat please?