Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
0
Helpful
2
Replies

Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

Jeffrey Baello
Level 1
Level 1

‎07-25-2014 06:48 PM - edited ‎02-21-2020 07:45 PM

Hi Guys,

I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.

Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.

 

For some odd reason, I am able to ping the following, with no issues.

  • Cisco 3750 SVI (192.168.1.3)
  • CentOS web server (connected directly to the Cisco ASA 5505)

 

I have checked and enable the following:

  • Nat Exemption
  • Sysopt connection permit-vpn
  • ACL's
  • same-security-traffic permit inter-interface
  • same-security-traffic permit intra-interface
  • Added ICMP in the inspection policy
  • Packet-capture - Only getting echo requests.

 

Thanks in advance!

Labels:
Preview file
11 KB
Preview file
213 KB
0 Helpful
2 Replies 2

nkarthikeyan
Level 7
Level 7

‎07-26-2014 11:39 PM

Hi,

 

I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work

 

object network acvpnpool

subnet <anyconnect VPN Subnet>

object network insidelan

subnet <inside lan subnet>

nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan

 

Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!

 

 

Regards

Karthik

0 Helpful

Jeffrey Baello
Level 1
Level 1
In response to nkarthikeyan

‎07-30-2014 05:03 PM

Thanks for the help, the issue on most of the host behind the Cisco 3750 is it's pointed to the wrong SVI Gateway :P lol this is what happens when I rushed re-building my Data Center in the garage.

I'm not extending some of the VLAN SVI on the inside network hosted in the Cisco 3750 to be reachable in the Anyconnect tunnel, the fun never stops. :D

0 Helpful
Customers Also Viewed These Support Documents