Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4008
Views
0
Helpful
6
Replies

Unable to access "inside" LAN from AnyConnect VPN

Go to solution
Charger1129
Level 1
Level 1

‎11-16-2015 06:37 AM - edited ‎02-21-2020 08:33 PM

Hi. I'm having some trouble with my VPN connection where I can connect to it fine, and get internet access, but I cannot access the internal LAN. Does anyone have any thoughts on what I can check to resolve that? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kannan Ramasubramanian

‎11-16-2015 07:32 AM

I believe that the suggestion about NAT exemption is very good. If that does not turn out to be the issue then I have a couple of other suggestions.

- with the VPN session established look into the information from the AnyConnect and look into the route details tab and be sure that these LAN addresses show up as secured routes.

- verify that the devices in the LAN that you can not reach have a route to the addresses in the VPN pool.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Kannan Ramasubramanian
Level 1
Level 1

‎11-16-2015 06:59 AM

Hi,

    When you say you can access internet but not internal LAN resources, I belive you've configured Split-tunnel. The most common issue could be because of NAT-Exemption statement being missed. Ensure that you've configured NAT-Exemption with source as inside LAN subnets and destination as Anyconnect VPN Pool. You can confirm the same by running packet-tracer command. Please get the following output, split-acl configuration, Anyconnect VPN pool and the subnet you're trying to access so that I can have a look into it.

---------------------------------------------------------------------------------------------------------------------------------------------

 

Packet-tracer input inside icmp <Internal_host_ip_address> 8 0 <Anyconnect_assigned_ip_address> detail

 

 

Internal_host_ip_address à The internal host (desktop) which you are trying to access

 

Anyconnect_assigned_ip_address à IP address assigned to the client machine once connected to vpn. This must be from VPN pool configured

 

---------------------------------------------------------------------------------------------------------------------------------------------

HTH,

Kannan

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kannan Ramasubramanian

‎11-16-2015 07:32 AM

I believe that the suggestion about NAT exemption is very good. If that does not turn out to be the issue then I have a couple of other suggestions.

- with the VPN session established look into the information from the AnyConnect and look into the route details tab and be sure that these LAN addresses show up as secured routes.

- verify that the devices in the LAN that you can not reach have a route to the addresses in the VPN pool.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Charger1129
Level 1
Level 1
In response to Richard Burts

‎11-16-2015 08:17 AM

Hi Rich,

Looks like I only have the following for the routes which could be my issue:

Non-Secured Routes

  • (0.0.0.0/0)

Secured Routes

  • (10.31.90.0/24)

The 10.31.90.0 is my VPN network. The Network I am trying to reach is the 10.31.20.0 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Charger1129

‎11-16-2015 09:30 AM

Yes that would be an issue and would explain the symptom that you are having. You need to make sure that your configuration for split tunnel also includes your inside addresses.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Charger1129
Level 1
Level 1
In response to Richard Burts

‎11-16-2015 11:12 AM

Figured it out now, had my ACL statements and NAT backwards by listing the VPN subnet as the source when really it should have been the destination.

Incorrect:

access-list SPLIT_TUNNEL extended permit ip object NETWORK_OBJ_10.31.90.0_24 object NETWORK_OBJ_10.31.20.0_24  

nat (inside,outside) source static NETWORK_OBJ_10.31.90.0_24 NETWORK_OBJ_10.31.90.0_24 destination static NETWORK_OBJ_10.31.20.0_24 NETWORK_OBJ_10.31.20.0_24 no-proxy-arp route-lookup

Correct:

access-list SPLIT_TUNNEL extended permit ip object NETWORK_OBJ_10.31.20.0_24 object NETWORK_OBJ_10.31.90.0_24  

nat (inside,outside) source static NETWORK_OBJ_10.31.20.0_24 NETWORK_OBJ_10.31.20.0_24 destination static NETWORK_OBJ_10.31.90.0_24 NETWORK_OBJ_10.31.90.0_24 no-proxy-arp route-lookup

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Charger1129

‎11-16-2015 12:13 PM

I am glad that my suggestion was helpful and did lead you to a solution. Thank you for posting back to the forum to explain just what was wrong and what you did to correct it. This will help other readers in the forum who may have a similar issue. And with VPN it does sometimes get difficult to sort out which address goes first and which goes second in access list. Thank you for using the rating system to mark this question as answered.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents