[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

cisco asa5505 webvpn connects, can't access inside hosts

Posted on 2011-03-19
5
Medium Priority
?
1,364 Views
Last Modified: 2012-05-11
I can connect to the https://<public-ip> and get logged on via webvpn.

I get an address on the remote client from the webvpn pool.  The asa adds a static route for the remote webvpn user (this is similar to another asa5505 I have that is working).  I can't ping in to inisde hosts from the webvpn client, nor can I ping the remote client from an inside host.

Help??
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 13

Expert Comment

by:Felix Leven
ID: 35173004
you connect over a ssl vpn and use secure desktop?
0
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35173645
Is the webvpn pool in the same subnet?  Sounds like an ACL issue.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 35175654
Do you have a nat0 acl entry that will permit traffic from inside LAN to VPN host IP pool to bypass NAT?
0
 

Author Comment

by:snowdog_2112
ID: 35175706
it does sound like acl, but I can't figure out what.  I've got another 5505 with similar config (near as I can tell) which works.  There is a dedicated pool for vpn - my remote client gets an IP from the pool.  I've got a split-tunnel policy and my route table on the remote client is the same between connecting to the two 5505's (one works, one does not).  There is a site-to-site ipsec tunnel between the two 5505's as well.

The one difference I can see between the workin unit and the non-working unit is the working unit has a route for the vpn pool which points to a 3650 switch - but the switch has no route or other configuration for the vpn pool, and the non-working unit does not have a similar switch on its inside network.

I have nat exceptions for addresses on the working asa (it has mirrored nat exceptions)

Here's what I can determine is relevant from the non-working config:

int vlan1
 ip address 10.20.1.1 255.255.255.0

ip local pool vpnp2 10.223.1.100-10.223.1.150

access-list NONAT extended permit ip 10.20.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list NONAT extended permit ip 10.233.1.0 255.255.255.0 10.222.1.0 255.255.255.0
access-list NONAT extended permit ip 10.223.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list split-tunnel standard permit 10.20.1.0 255.255.255.0
access-list split-tunnel standard permit 10.10.1.0 255.255.255.0
access-list split-tunnel standard permit 10.233.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 4
 svc image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 5
 svc image disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 6
 svc enable
group-policy WebvpnGrp internal
group-policy WebvpnGrp attributes
 dns-server value 10.10.1.222
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 split-dns value mydomain.local
 webvpn
  url-list none
  svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
 dns-server value 10.10.1.222
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified


username wvpn password *** encrypted
username wvpn attributes
 vpn-group-policy WebvpnGrp
0
 

Author Closing Comment

by:snowdog_2112
ID: 35175716
lrmoore - YOU'RE THE DUDE!!

Of course, now that I look at it, the working asa does in fact have that nat0 entry.  I just absolutely and completely missed it - though I've looked at it a hundred times.

I had even considered that before banging my head on the keyboard, but completely overlooked it on that other asa, so I assumed I didn't need it.

THANK YOU THANK YOU!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question