Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
0
Helpful
6
Replies

vpn anyconnect can't ping interface vlan (split tunnel)

leo.gunadi1
Level 1
Level 1

‎08-29-2020 02:01 PM

from user vpn (split tunnel) can't ping device interface vlan, please need advice. thanks

 

 

interface Redundant1.208
description testpingvpn
vlan 208
nameif inside_testpingvpn
security-level 75
ip address 10.71.8.1 255.255.255.0 standby 10.71.8.2
!

 

access-list split-tunnel standard permit 10.72.161.0 255.255.255.0

 

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.1.04011-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_Mgmt internal
group-policy GroupPolicy_Mgmt attributes
wins-server none
dns-server none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain none
address-pools value VPN-Pool

 

access-list inside_testpingvpn_access_in extended permit ip any anyvpn2.png

 

 

 

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎08-29-2020 02:25 PM

Hi,

You don't have the 10.71.8.0/24 network as part of your split-tunnel ACL

 

access-list split-tunnel standard permit 10.71.8.0 255.255.255.0

 

If you wanted to ping the ASAs internal interface over the VPN you would need the following command

 

management-access <interface-name>

HTH

0 Helpful

leo.gunadi1
Level 1
Level 1

‎08-30-2020 02:50 PM

hai,

 

sorry, i mean

access-list split-tunnel standard permit 10.71.8.0 255.255.255.0, no access-list split-tunnel standard permit 10.72.161.0 255.255.255.0

 

left is ip add user vpn 172.16.10.61 and right is ping interface vlan 208

image.png

 

but if ping from switch to gateway (ASA) reply

switch access>ping 10.71.8.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.71.8.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms

0 Helpful

Rob Ingram
VIP
VIP

‎08-31-2020 03:04 AM

Have you configured a NAT exemption rule to ensure the traffic is not unintentially natted?

0 Helpful

leo.gunadi1
Level 1
Level 1
In response to Rob Ingram

‎08-31-2020 12:38 PM

image.png

 

do you mean that? thanks

0 Helpful

Rob Ingram
VIP
VIP

‎08-31-2020 12:49 PM

No

Example: nat (INSIDE,OUTSIDE) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp

0 Helpful

leo.gunadi1
Level 1
Level 1

‎09-01-2020 04:42 PM

nat (any,outside) source static any any destination static VPN_ADMIN VPN_ADMIN no-proxy-arp route-lookup

 

object network VPN_ADMIN
range 172.16.10.2 172.16.10.100

 

i create new test

 

outside (vpn - 172.16.10.64) - ASA - Core - Switch (interface vlan 151-10.72.151.249 and interface vlan 161-10.72.161.22)

* note : 1 switch 2 ip management

 

ping from user vpn to 10.72.151.249 - OK

ping from user vpn to 10.72.161.22 - NG

 

file vpn.docx result test ping from tool asdm, please review my result. thanks

Preview file
540 KB
0 Helpful
Customers Also Viewed These Support Documents