We help IT Professionals succeed at work.

Cisco ASA 5505 SSL vpn configuration

I am trying to config a new ASA5505 the base license for Anyconnect SSL vpn and finally  I am able to establish connection but i can't ping ASA ip or any inside host. I did a similar configuration on a different model and worked  without any issue.
I have attached the  config  the version 8.2(1) on ASA.  Aso  tried the same config on another similar model 5505 base license same sw ver same error.

Thanks
test-ssl-config.txt
Comment
Watch Question

John MeggersNetwork Architect

Commented:
You won't be able to ping the ASA inside IP, but you should be able to ping inside devices.  Your config looks right to me, and if the device is a 5505, my guess is you don't have another router inside, so devices probably have a default gateway pointing to the ASA.  (That's always a potential issue, whether the recipient of the pings knows where to send its response.)  Are you sure the device you're pinging on the inside will accept a ping?  Is there a personal firewall in operation that would block pings?  Can you ping that device from the ASA itself?

Author

Commented:
Yes the ping should work from vpn to inside interface and also as you mentioned for inside host.  I tried this on a ASA5510 and it works. The one I am testing on ASA5505 I connected one PC in inside network (IP 192.168.3.10 gw as ASA inside interface ip 192.168.3.1). From the inside pc i can ping ASA's internal ip 192.168.3.1. When i try to connect from PC on outside network i am able to establish Anyconnect but cannot ping the inside pc 192.168.3.10 or other inside host. I can see any connect client get the ip 172.16.0.1 and i am able to ping that ip only. Also another strange thing i noticed that when I  assign the vpnpool1 address to “tunnel-group AnyCnt general-attributes  “  I am not able to establish tunnel. It gives a message no ip address assign. When I remove the tunnel- group ip and assign it to “group-policy SSL_Grp attributes“it is able to establish tunnel.
Head of IT Security Division
Top Expert 2010
Commented:
HI,

At the first look the config seems good, did you reloaded the ASA?
This line is not need:
access-list ssl_split_tunnel standard permit 172.16.0.0 255.255.0.0

Author

Commented:
I reloaded  and it seem to be working fine.