Cisco ASA AnyConnect Access Rule

Posted on 2011-03-17
Last Modified: 2012-06-21
I have a Cisco ASA 5510 that I can connect to using the AnyConenct VPN Client.

I am assigned an IP of

The outside interface of the ASA is

From I can ping the ASA outside interface. However, if I try and ping another host ( this fails. If I try and ping from to I get this error:

3      Mar 17 2011      20:43:06      106014              Deny inbound icmp src outside: dst outside: (type 8, code 0)

Should I "believe" that the IP assigned to me of is indeed on the outside interface? I have no physical interface, or VLAN that is assigned a 192.168.15.x address

Is this an access or a NAT issue?

Question by:xyznetworks
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 35

Expert Comment

by:Ernie Beek
ID: 35155206
you can safely believe that. the VPN is terminated on the outside interface so that's where it's origin is.
So you're trying to ping from another outside address? You are not trying to ping from the in to the outside?
If so, you could try to issue same-security-traffic permit intra-interface on the asa.

Author Comment

ID: 35155248
Yes, that is correct. My router sits outside, has an address on the same subnet as the outside interface of the ASA.

I will see if I can find where I add the command you suggested.


LVL 35

Accepted Solution

Ernie Beek earned 500 total points
ID: 35155275
Are you using the ASDM?

Device setup->interfaces->tick 'enable traffic between two or most hosts connected to the same interface'
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Author Comment

ID: 35155288
I am using both ASDM and SSH .... I accessed via SSH, and in global conf mode simply added the command you suggested and I can now SSH to the router, ping to and from the router. Many thanks...this has worked.

Author Closing Comment

ID: 35155295
Quick response, easy to understand and apply. Thanks for assisting me with this.
LVL 35

Expert Comment

by:Ernie Beek
ID: 35155296
Great! Glad I could help :)
LVL 35

Expert Comment

by:Ernie Beek
ID: 35155300
And thx for the points.

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to choose hardware firewall 5 97
ASA Tunnel 18 54
Resource timeout across a VPN 9 68
Site to Site VPN DNS issue 6 37
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question