Solved

Cisco ASA AnyConnect Access Rule

Posted on 2011-03-17
7
831 Views
Last Modified: 2012-06-21
I have a Cisco ASA 5510 that I can connect to using the AnyConenct VPN Client.

I am assigned an IP of 192.168.15.2

The outside interface of the ASA is 192.168.10.7

From 192.168.15.2 I can ping the ASA outside interface. However, if I try and ping another host (192.168.10.1) this fails. If I try and ping from 192.168.1.1 to 192.168.15.2 I get this error:

3      Mar 17 2011      20:43:06      106014      192.168.10.1            192.168.15.2            Deny inbound icmp src outside:192.168.10.1 dst outside:192.168.15.2 (type 8, code 0)

Should I "believe" that the IP assigned to me of 192.168.15.2 is indeed on the outside interface? I have no physical interface, or VLAN that is assigned a 192.168.15.x address

Is this an access or a NAT issue?

Thanks
0
Comment
Question by:xyznetworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35155206
you can safely believe that. the VPN is terminated on the outside interface so that's where it's origin is.
So you're trying to ping from another outside address? You are not trying to ping from the in to the outside?
If so, you could try to issue same-security-traffic permit intra-interface on the asa.
0
 

Author Comment

by:xyznetworks
ID: 35155248
Yes, that is correct. My router sits outside, has an address on the same subnet as the outside interface of the ASA.

I will see if I can find where I add the command you suggested.

Thanks

Dean
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35155275
Are you using the ASDM?

Device setup->interfaces->tick 'enable traffic between two or most hosts connected to the same interface'
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Author Comment

by:xyznetworks
ID: 35155288
I am using both ASDM and SSH .... I accessed via SSH, and in global conf mode simply added the command you suggested and I can now SSH to the router, ping to and from the router. Many thanks...this has worked.
0
 

Author Closing Comment

by:xyznetworks
ID: 35155295
Quick response, easy to understand and apply. Thanks for assisting me with this.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35155296
Great! Glad I could help :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35155300
And thx for the points.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question