06-05-2012 10:19 AM
Having a problem pinging across a site-to-site. Any ideas would be appreciated.
Anyconnect Client ---- ASA5505 ---- Internet(ipsec tunnel) ---- ASA5510 ---- LAN
Directly connected ---^
From a client PC with AnyConnect I can ping ASA5505, ASA5510, Servers & Clients on the remote LAN. So the tunnel is working and passing traffic.
From a client PC connected directly to the ASA5505 I can ping ASA5505, ASA5510, Servers & Clients on the remote LAN.
From the ASA5505 I can only ping locally attach devices. I cannot ping AnyConnect clients or anything through the tunnel.
From the ASA5510 I can only devices on the LAN
From a PC on the LAN I can ping device connected directly and via AnyConnect to ASA5505. Again showing the tunnel works
Removing "access-list outside_access_in extended deny icmp any any" on the ASA5510 does not fix the problem
ASA5505 ACL
access-list inside_out_outside extended permit ip any any
access-list outside_in_inside extended permit icmp any any
access-list CORVID-Split-Tunnel standard permit 10.100.0.0 255.255.0.0
access-list CORVID-Split-Tunnel standard permit 10.10.0.0 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip any 10.100.0.0 255.255.0.0
access-list OUTSIDE_1_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
ASA5510 ACL
access-list nonat extended permit ip any 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nonat extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https
access-list outside_access_in remark HTTP for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www
access-list outside_access_in remark HTTPS for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https
access-list outside_access_in extended permit icmp host 10.100.0.1 any
access-list outside_access_in extended deny icmp any any
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive
access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https
access-list outside_access_in_1 remark FTPS
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive
access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https
access-list outside_access_in_1 extended deny icmp any any
access-list inside_access_out extended permit ip any any log
06-06-2012 01:00 PM
I ended up getting this working. Inside of DefaultWEBVPNGroup I changed:
default-group-policy DfltGrpPolicy
to
default-group-policy CORVID-WC-SSL
ping also works if I type ping inside 10.10.1.1 rather than ping 10.10.1.1
I am sure I still have something wrong. AnyConnect clients go to DefaultWEBVPNGroup rather than CORID-WC-SSL to get an IP. If I do not add the address-pool to DefaultWEBVPNGroup then I do not get an IP
This does not work:
tunnel-group CORVID-WC-SSL general-attributes
address-pool CORVID-WC-VPNPOOL
authentication-server-group PMERADIUS
default-group-policy CORVID-WC-SSL
This works:
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool CORVID-WC-VPNPOOL
authentication-server-group PMERADIUS
default-group-policy CORVID-WC-SSL
06-07-2012 08:08 AM
Hi there,
ip pool is missing on "CORVID-WC-SSL"
group-policy CORVID-WC-SSL attributes
address-pools value ?
Let me know, if this helps.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide