Solved

Once connected to Cisco AnyConnect I can't ping anything on the network

Posted on 2011-03-09
7
5,776 Views
Last Modified: 2012-05-11
I can connect to anyconnect just fine, but once connected, I cannot ping anything on the network.  I'm pretty sure split tunneling is cofigured correctly.  Any ideas?  Thanks.
0
Comment
Question by:denver218
7 Comments
 
LVL 12

Accepted Solution

by:
tgtran earned 167 total points
ID: 35085139
Do you have this command in your Cisco VPN device to allow ICMP?
access-list <access-list name> extended permit icmp any any
0
 
LVL 7

Assisted Solution

by:joelvp
joelvp earned 167 total points
ID: 35085248
Can be several things, depending on your configuration. Pasting your config would help to find out.
Some checks though:
- On the anyconnect client you can see if split tunnelling is really in effect.
- You can check the byte RX and TX count in either asdm or by the command:
show vpn-sessiondb svc
- are you allowing vpn connections by default through superseeding any access-lists:
sh run all sysopt
check if the sysopt connection permit-vpn is there
- are nat excempts in place?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 166 total points
ID: 35085411
Please show the config
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 4

Author Closing Comment

by:denver218
ID: 35108015
For some reason, I created another DHCP Pool and it starting working.  All is working now.  Thanks.
0
 

Expert Comment

by:gilley001
ID: 35228336
I had the same problem; pulled my hair out double and triple checking config.  I had Anyconnect vpn client connecting to cisco router webvpn ok, but could only ping the webvpn ip address from client side and client assigned address from cisco router side; could not ping anything else on inside network.  

Turns out I had the dhcp pool for the vpn clients in the same subnet as my ethernet interface fe0/1 192.168.1.1/24 (client dhcp pool 192.168.1.150 - 192.168.1.155). For some reason this won't route correctly.  I changed client dhcp pool to 192.168.250.1 - 192.168.250.50 and all is working great now.
0
 

Expert Comment

by:anttiva
ID: 35705019
I would like to see the config too for reference. Having the same problem.
0
 
LVL 4

Author Comment

by:denver218
ID: 35705793
Hey guys here's my working config.  Like gilley001 said I had to create a dhcp pool on a different subnet.  Below are the configurations:

ASA Version 8.2(2)
!
hostname ASA5510
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.67 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.19.16.1 255.255.252.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone est -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name lvbh.org
object-group network DM_INLINE_NETWORK_1
 network-object 10.0.0.0 255.255.240.0
 network-object 10.0.32.0 255.255.240.0
 network-object 172.31.252.0 255.255.252.0
access-list outside_cryptomap extended permit ip 172.19.16.0 255.255.252.0 objec
t-group DM_INLINE_NETWORK_1
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 172.31.252.0 255.
255.252.0
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 10.0.0.0 255.255.
240.0
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 10.0.32.0 255.255
.240.0
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 172.19.17.0 255.2
55.255.0
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 192.168.77.0 255.
255.255.0
access-list 100 remark IT DEPT PC Anywhere Access
access-list 100 extended permit tcp x.x.x.128 255.255.255.192 any eq pcanywhere-data
access-list 100 remark IT DEPTs PC Anywhere Access
access-list 100 extended permit udp x.x.x.128 255.255.255.192 any eq pcanywhere-status
access-list 100 remark WWW Access to Care Tracker
access-list 100 extended permit tcp any host x.x.x.70 eq www
access-list 100 remark SMTP Access to Astaro Security Gateway
access-list 100 extended permit tcp any host x.x.x.72 eq smtp
access-list 100 remark Astaro Technical Support
access-list 100 extended permit tcp host x.x.231.66 host x.x.x.72 eq ssh
access-list 100 remark Astaro Technical Support
access-list 100 extended permit tcp host x.x.231.66 host x.x.x.72 eq 4444
access-list 100 remark ICMP
access-list 100 extended permit icmp any any
access-list 100 remark OWA/Active Sync
access-list 100 extended permit tcp any host x.x.x.68 eq www
access-list 100 remark OWA/ActiveSync for Exchange 2003
access-list 100 extended permit tcp any host x.x.x.68 eq 7500
access-list inside_access_in remark access inside
access-list inside_access_in extended permit ip any any
access-list split-tunnel standard permit 172.19.16.0 255.255.252.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip local pool newvpn 192.168.77.1-192.168.77.20
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.68 172.19.16.40 netmask 255.255.255.255
static (inside,outside) x.x.x.70 172.19.16.42 netmask 255.255.255.255
static (inside,outside) x.x.x.72 172.19.16.44 netmask 255.255.255.255
static (inside,outside) x.x.x.71 172.19.16.43 netmask 255.255.255.255
access-group 100 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.66 10
route inside 192.168.1.0 255.255.255.0 172.19.16.10 1
route inside x.x.x.0 255.255.255.0 172.19.16.2 1
route inside x.x.x.0 255.255.255.0 172.19.16.2 1
route inside x.x.x.0 255.255.255.0 172.16.16.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer x.x.x.135
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-
AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DE
S-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.255.240.0 inside
telnet 172.19.16.0 255.255.252.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 svc image disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy clientgroup internal
group-policy clientgroup attributes
 dns-server value 172.19.16.40
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 webvpn
  svc keep-installer installed
  svc rekey method ssl
  svc ask none default svc
username Remoteuser1 password fACU5JyPT3rejR/3 encrypted
username Remoteuser2 password GKv1147IFRfgJ2CI encrypted
username Remoteuser3 password jSLASOGInnn5Ae/a encrypted
username admin password 3USUcOPFUiMCO4Jk encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool AnyConnect_DHCP_Pool
 default-group-policy clientgroup
tunnel-group x.x.x.135 type ipsec-l2l
tunnel-group x.x.x.135 ipsec-attributes
 pre-shared-key *****
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
 address-pool newvpn
 default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
 group-alias sslgroup_users enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f71c5b67b12c90a82ee3f27cfe6f7269
: end
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Route Summarization 2 33
Wifi install - small London office 9 80
RemoteApps using Remote Desktop Services 9 40
Cisco NBAR 6 15
Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now