cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1896
Views
0
Helpful
8
Replies

Cannot reach VPN clients from inside Hosts

Michael Grann
Level 1
Level 1

Hello,

I'm hoping someone can point out what I'm missing with this config. I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (177.1.10.0 & 177.1.11.0) are unable to connect to clients on VPN. The ASA is running ver 8.4.

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.2.3.4 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 4.3.2.2 255.255.255.128

!

object network NETWORK_OBJ_10.11.10.0_24

subnet 10.11.10.0 255.255.255.0

ip local pool usjabber_pool 10.11.10.10-10.11.10.210 mask 255.255.255.0

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.10.0_24 NETWORK_OBJ_10.11.10.0_24 no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 1.2.3.1 1

route inside 177.1.10.0 255.255.255.0 4.3.2.1 1

route inside 177.1.11.0 255.255.255.0 4.3.2.1 1

dynamic-access-policy-record DfltAccessPolicy

!

TIA,

Mike

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

1) If you have split tunnel policy, does it include those networks?

2) Do those network have route back towards the AnyConnect pool (10.11.10.0/24) pointing back towards the ASA inside interface?

The posted config looks ok to me.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

1) If you have split tunnel policy, does it include those networks?

2) Do those network have route back towards the AnyConnect pool (10.11.10.0/24) pointing back towards the ASA inside interface?

The posted config looks ok to me.

1. No split tunnel policy.

2. The routes are in place. The inside NIC of the ASA is directly connected to a L3 switch configured to point to the ASA inside IP as the next hop to 10.11.10.0/24.

I don't know if I need to specify an incoming ACL on the inside interface; I thought that by default the ASA should allow this coming from security level 100. I even removed any ACL but didn't make any difference. I also tried removing the "no proxy-arp" under the "nat" line but also didn't make any difference.

I feel that this has something to do with defining the internal subnets somewhere on the ASA because I already confirmed reachability towards 10.11.10.0/24 from the directly connected subnet. I just don't know if this is correct or where to add these subnets.

-MG

Do you have vpn filter define as well?

You do not have to define any internal subnets on the ASA, as long as you have a route towards those subnets, routing correctly via the inside interface, you already covered all the config on the ASA.

Where is these 2 internal subnets (177.1.10.0 & 177.1.11.0), is it directly connected to that L3 switch where the ASA inside interface is connected? Can you share topology diagram?

Yes, these are directly connected to the L3 switch as SVI's.

ASA-------Cat3560---SVI's: 177.1.10.0/24 & 177.1.10.11.0/24

If I do an extended ping sourcing these subnets, I cannot reach the 10.11.10.0/24. I can only reach up to the ASA's inside interface. The port the ASA is connected to on the switch is defined as a routed interface. On the ASA logs, I can see traffic FROM (as well as TO) these networks.

Packet captures on the VPN client show that these subnets don't reach the client at all.

MG

Sorry, I forgot to reply to your first question - no, I don't think I have any VPN filter defined. It's basically a clean ASA with only the Startup and VPN wizards producing the above configuration. I don't recall any part of the wizard where I was asked to define a filter, unless I missed it. This is all that's defined for the VPN portion:

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_usjabber internal

group-policy GroupPolicy_usjabber attributes

wins-server none

dns-server value 7.8.9.10

vpn-tunnel-protocol ssl-client

default-domain value test.local

username bill password JA36vKLZ8S2SqI2x encrypted
tunnel-group usjabber type remote-access
tunnel-group usjabber general-attributes

address-pool usjabber_pool

default-group-policy GroupPolicy_usjabber

tunnel-group usjabber webvpn-attributes

group-alias usjabber enable

!

If you change this line:

FROM:

nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.11.10.0_24 NETWORK_OBJ_10.11.10.0_24 no-proxy-arp  route-lookup

TO:

nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.11.10.0_24 NETWORK_OBJ_10.11.10.0_24

Then "clear xlate"

Does it work?

Sorry for the late reply. I finally proved that base config of SSLVPN Wizard by default allows me to access the remote clients from the LAN. The issue was a routing/switching config on the next-hop L3 switch. I wasn't sure at first if the cause of one-way VoIP audio between the VPN Clients and LAN was due to the ASA.

I did try removing the no-proxy-arp route-lookup without any difference in the traffic behaviour.

Thanks for the help.

MG