snowdog_2112
asked on
cisco asa5505 webvpn connects, can't access inside hosts
I can connect to the https://<public-ip> and get logged on via webvpn.
I get an address on the remote client from the webvpn pool. The asa adds a static route for the remote webvpn user (this is similar to another asa5505 I have that is working). I can't ping in to inisde hosts from the webvpn client, nor can I ping the remote client from an inside host.
Help??
I get an address on the remote client from the webvpn pool. The asa adds a static route for the remote webvpn user (this is similar to another asa5505 I have that is working). I can't ping in to inisde hosts from the webvpn client, nor can I ping the remote client from an inside host.
Help??
you connect over a ssl vpn and use secure desktop?
Is the webvpn pool in the same subnet? Sounds like an ACL issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
it does sound like acl, but I can't figure out what. I've got another 5505 with similar config (near as I can tell) which works. There is a dedicated pool for vpn - my remote client gets an IP from the pool. I've got a split-tunnel policy and my route table on the remote client is the same between connecting to the two 5505's (one works, one does not). There is a site-to-site ipsec tunnel between the two 5505's as well.
The one difference I can see between the workin unit and the non-working unit is the working unit has a route for the vpn pool which points to a 3650 switch - but the switch has no route or other configuration for the vpn pool, and the non-working unit does not have a similar switch on its inside network.
I have nat exceptions for addresses on the working asa (it has mirrored nat exceptions)
Here's what I can determine is relevant from the non-working config:
int vlan1
ip address 10.20.1.1 255.255.255.0
ip local pool vpnp2 10.223.1.100-10.223.1.150
access-list NONAT extended permit ip 10.20.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list NONAT extended permit ip 10.233.1.0 255.255.255.0 10.222.1.0 255.255.255.0
access-list NONAT extended permit ip 10.223.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list split-tunnel standard permit 10.20.1.0 255.255.255.0
access-list split-tunnel standard permit 10.10.1.0 255.255.255.0
access-list split-tunnel standard permit 10.233.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5. 2019-k9.pk g 1
svc image disk0:/anyconnect-win-2.4. 1012-k9.pk g 2
svc image disk0:/anyconnect-linux-2. 4.1012-k9. pkg 3
svc image disk0:/anyconnect-macosx-i 386-2.4.10 12-k9.pkg 4
svc image disk0:/anyconnect-wince-AR Mv4I-2.4.1 012-k9.pkg 5
svc image disk0:/anyconnect-dart-win -2.5.2019- k9.pkg 6
svc enable
group-policy WebvpnGrp internal
group-policy WebvpnGrp attributes
dns-server value 10.10.1.222
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
split-dns value mydomain.local
webvpn
url-list none
svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
dns-server value 10.10.1.222
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
username wvpn password *** encrypted
username wvpn attributes
vpn-group-policy WebvpnGrp
The one difference I can see between the workin unit and the non-working unit is the working unit has a route for the vpn pool which points to a 3650 switch - but the switch has no route or other configuration for the vpn pool, and the non-working unit does not have a similar switch on its inside network.
I have nat exceptions for addresses on the working asa (it has mirrored nat exceptions)
Here's what I can determine is relevant from the non-working config:
int vlan1
ip address 10.20.1.1 255.255.255.0
ip local pool vpnp2 10.223.1.100-10.223.1.150
access-list NONAT extended permit ip 10.20.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list NONAT extended permit ip 10.233.1.0 255.255.255.0 10.222.1.0 255.255.255.0
access-list NONAT extended permit ip 10.223.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list split-tunnel standard permit 10.20.1.0 255.255.255.0
access-list split-tunnel standard permit 10.10.1.0 255.255.255.0
access-list split-tunnel standard permit 10.233.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.
svc image disk0:/anyconnect-win-2.4.
svc image disk0:/anyconnect-linux-2.
svc image disk0:/anyconnect-macosx-i
svc image disk0:/anyconnect-wince-AR
svc image disk0:/anyconnect-dart-win
svc enable
group-policy WebvpnGrp internal
group-policy WebvpnGrp attributes
dns-server value 10.10.1.222
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
split-dns value mydomain.local
webvpn
url-list none
svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
dns-server value 10.10.1.222
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
username wvpn password *** encrypted
username wvpn attributes
vpn-group-policy WebvpnGrp
ASKER
lrmoore - YOU'RE THE DUDE!!
Of course, now that I look at it, the working asa does in fact have that nat0 entry. I just absolutely and completely missed it - though I've looked at it a hundred times.
I had even considered that before banging my head on the keyboard, but completely overlooked it on that other asa, so I assumed I didn't need it.
THANK YOU THANK YOU!
Of course, now that I look at it, the working asa does in fact have that nat0 entry. I just absolutely and completely missed it - though I've looked at it a hundred times.
I had even considered that before banging my head on the keyboard, but completely overlooked it on that other asa, so I assumed I didn't need it.
THANK YOU THANK YOU!