Solved

Once connected to Cisco AnyConnect I can't ping anything on the network

Posted on 2011-03-09
7
6,075 Views
Last Modified: 2012-05-11
I can connect to anyconnect just fine, but once connected, I cannot ping anything on the network.  I'm pretty sure split tunneling is cofigured correctly.  Any ideas?  Thanks.
0
Comment
Question by:denver218
7 Comments
 
LVL 12

Accepted Solution

by:
tgtran earned 167 total points
ID: 35085139
Do you have this command in your Cisco VPN device to allow ICMP?
access-list <access-list name> extended permit icmp any any
0
 
LVL 7

Assisted Solution

by:joelvp
joelvp earned 167 total points
ID: 35085248
Can be several things, depending on your configuration. Pasting your config would help to find out.
Some checks though:
- On the anyconnect client you can see if split tunnelling is really in effect.
- You can check the byte RX and TX count in either asdm or by the command:
show vpn-sessiondb svc
- are you allowing vpn connections by default through superseeding any access-lists:
sh run all sysopt
check if the sysopt connection permit-vpn is there
- are nat excempts in place?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 166 total points
ID: 35085411
Please show the config
0
ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 
LVL 4

Author Closing Comment

by:denver218
ID: 35108015
For some reason, I created another DHCP Pool and it starting working.  All is working now.  Thanks.
0
 

Expert Comment

by:gilley001
ID: 35228336
I had the same problem; pulled my hair out double and triple checking config.  I had Anyconnect vpn client connecting to cisco router webvpn ok, but could only ping the webvpn ip address from client side and client assigned address from cisco router side; could not ping anything else on inside network.  

Turns out I had the dhcp pool for the vpn clients in the same subnet as my ethernet interface fe0/1 192.168.1.1/24 (client dhcp pool 192.168.1.150 - 192.168.1.155). For some reason this won't route correctly.  I changed client dhcp pool to 192.168.250.1 - 192.168.250.50 and all is working great now.
0
 

Expert Comment

by:anttiva
ID: 35705019
I would like to see the config too for reference. Having the same problem.
0
 
LVL 4

Author Comment

by:denver218
ID: 35705793
Hey guys here's my working config.  Like gilley001 said I had to create a dhcp pool on a different subnet.  Below are the configurations:

ASA Version 8.2(2)
!
hostname ASA5510
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.67 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.19.16.1 255.255.252.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone est -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name lvbh.org
object-group network DM_INLINE_NETWORK_1
 network-object 10.0.0.0 255.255.240.0
 network-object 10.0.32.0 255.255.240.0
 network-object 172.31.252.0 255.255.252.0
access-list outside_cryptomap extended permit ip 172.19.16.0 255.255.252.0 objec
t-group DM_INLINE_NETWORK_1
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 172.31.252.0 255.
255.252.0
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 10.0.0.0 255.255.
240.0
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 10.0.32.0 255.255
.240.0
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 172.19.17.0 255.2
55.255.0
access-list nonat extended permit ip 172.19.16.0 255.255.252.0 192.168.77.0 255.
255.255.0
access-list 100 remark IT DEPT PC Anywhere Access
access-list 100 extended permit tcp x.x.x.128 255.255.255.192 any eq pcanywhere-data
access-list 100 remark IT DEPTs PC Anywhere Access
access-list 100 extended permit udp x.x.x.128 255.255.255.192 any eq pcanywhere-status
access-list 100 remark WWW Access to Care Tracker
access-list 100 extended permit tcp any host x.x.x.70 eq www
access-list 100 remark SMTP Access to Astaro Security Gateway
access-list 100 extended permit tcp any host x.x.x.72 eq smtp
access-list 100 remark Astaro Technical Support
access-list 100 extended permit tcp host x.x.231.66 host x.x.x.72 eq ssh
access-list 100 remark Astaro Technical Support
access-list 100 extended permit tcp host x.x.231.66 host x.x.x.72 eq 4444
access-list 100 remark ICMP
access-list 100 extended permit icmp any any
access-list 100 remark OWA/Active Sync
access-list 100 extended permit tcp any host x.x.x.68 eq www
access-list 100 remark OWA/ActiveSync for Exchange 2003
access-list 100 extended permit tcp any host x.x.x.68 eq 7500
access-list inside_access_in remark access inside
access-list inside_access_in extended permit ip any any
access-list split-tunnel standard permit 172.19.16.0 255.255.252.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip local pool newvpn 192.168.77.1-192.168.77.20
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.68 172.19.16.40 netmask 255.255.255.255
static (inside,outside) x.x.x.70 172.19.16.42 netmask 255.255.255.255
static (inside,outside) x.x.x.72 172.19.16.44 netmask 255.255.255.255
static (inside,outside) x.x.x.71 172.19.16.43 netmask 255.255.255.255
access-group 100 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.66 10
route inside 192.168.1.0 255.255.255.0 172.19.16.10 1
route inside x.x.x.0 255.255.255.0 172.19.16.2 1
route inside x.x.x.0 255.255.255.0 172.19.16.2 1
route inside x.x.x.0 255.255.255.0 172.16.16.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer x.x.x.135
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-
AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DE
S-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.255.240.0 inside
telnet 172.19.16.0 255.255.252.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 svc image disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy clientgroup internal
group-policy clientgroup attributes
 dns-server value 172.19.16.40
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 webvpn
  svc keep-installer installed
  svc rekey method ssl
  svc ask none default svc
username Remoteuser1 password fACU5JyPT3rejR/3 encrypted
username Remoteuser2 password GKv1147IFRfgJ2CI encrypted
username Remoteuser3 password jSLASOGInnn5Ae/a encrypted
username admin password 3USUcOPFUiMCO4Jk encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool AnyConnect_DHCP_Pool
 default-group-policy clientgroup
tunnel-group x.x.x.135 type ipsec-l2l
tunnel-group x.x.x.135 ipsec-attributes
 pre-shared-key *****
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
 address-pool newvpn
 default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
 group-alias sslgroup_users enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f71c5b67b12c90a82ee3f27cfe6f7269
: end
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sonicwall content filter on vpn 13 42
Teamviewer vpn for dc replication 9 33
Cisco 800 router unable to connect through TPG network 12 23
Cisco RV042G 4 8
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question