cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2912
Views
0
Helpful
9
Replies

Remote access vpn session cant talk to inside interface

aguy
Level 1
Level 1

Hi there.  Sorry this is yet another I cant talk to the inside interface post but im stuck.  My issue is with talking to traffic behind the inside interface once vpned into a test asav running 9.6(2)1.  Ive tried some of the suggestions in other threads like:

-https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html (tried using the post 8.3 commands but nothing)

-https://supportforums.cisco.com/discussion/13229451/cisco-asa-remote-ipsec-vpn (pre 8.3 so doent apply)

-https://supportforums.cisco.com/discussion/13229666/i-cannot-ping-anyconnect-client-i-can-ping-inside-network (cant get it to work)

-etc

but still cant get it working and im getting frustrated. I can talk to the internal networks from the asa itself - eg asa# ping inside 10.1.1.1 no problem.  I can only ping the management and outside interface static ips (10.100.192.60, 10.100.194.60) form the vpn.  When I do a packet trace from a vpn client perspective I get:

packet-tracer input outside icmp 192.168.50.1 0 8 10.100.32.54 xml

-> result: type vpn, subtype ipsec-tunnel-flow, action drop; info (acl_drop_ flow is denied by configured rule

Anyone have an explanation step by step on how to configure this properly?  Im still getting familiar on how natting/acls/cryptomaps are applied in asa land.  Ive rolled back all my experimental changes so the nats and acls are blank.

Thanks,

Config attached.

9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni