David_Blumberg
asked on
Cisco ASA 5506W VPN Clients not seeing local network
VPN Client connects and gets proper IP address, but cannot ping local servers or access local resources
Cisco AnyConnect Secure Mobility Client 4.2.01035
(Wed Feb 03 06:28:51 2016)
Connection Information
State: Connected
Tunnel Mode (IPv4): Split Exclude
Tunnel Mode (IPv6): Drop All Traffic
Duration: 00:05:04
Address Information
Client (IPv4): 192.168.1.101
Client (IPv6): Not Available
Server: x.x.x.x
Client Management
Administrative Domain: Undefined
Profile Name: xxx.xml
Feature Configuration
Trusted Network Detection: Disabled
Route Details
Non-Secured Routes (IPv4)
192.168.0.0/24
Secured Routes (IPv4)
0.0.0.0/0
Relevant Config
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN
subnet 192.168.1.0 255.255.255.0
object network DMZ1
range 192.168.0.100 192.168.0.101
object network DMZ2
range 192.168.0.35 192.168.0.36
object network pb_any
subnet 192.168.0.0 255.255.0.0
object network pb_inside
subnet 192.168.0.0 255.255.255.0
object network Inside_Subnet
subnet 192.168.0.0 255.255.0.0
object-group network nonat
network-object 192.168.0.0 255.255.0.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list traffic extended permit ip 192.168.0.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0
no arp permit-nonconnected
nat (any,any) source static DMZ2 DMZ2
nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp
nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN
nat (any,any) source static DMZ2 DMZ2 destination static VPN VPN
nat (inside,outside) source static pb_inside pb_inside destination static VPN VPN
!
object network obj_any
nat (any,outside) dynamic interface
object network pb_inside
nat (outside,outside) dynamic interface
Any thoughts? Users are connecting via LDAP. Thank you
Cisco AnyConnect Secure Mobility Client 4.2.01035
(Wed Feb 03 06:28:51 2016)
Connection Information
State: Connected
Tunnel Mode (IPv4): Split Exclude
Tunnel Mode (IPv6): Drop All Traffic
Duration: 00:05:04
Address Information
Client (IPv4): 192.168.1.101
Client (IPv6): Not Available
Server: x.x.x.x
Client Management
Administrative Domain: Undefined
Profile Name: xxx.xml
Feature Configuration
Trusted Network Detection: Disabled
Route Details
Non-Secured Routes (IPv4)
192.168.0.0/24
Secured Routes (IPv4)
0.0.0.0/0
Relevant Config
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN
subnet 192.168.1.0 255.255.255.0
object network DMZ1
range 192.168.0.100 192.168.0.101
object network DMZ2
range 192.168.0.35 192.168.0.36
object network pb_any
subnet 192.168.0.0 255.255.0.0
object network pb_inside
subnet 192.168.0.0 255.255.255.0
object network Inside_Subnet
subnet 192.168.0.0 255.255.0.0
object-group network nonat
network-object 192.168.0.0 255.255.0.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list traffic extended permit ip 192.168.0.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0
no arp permit-nonconnected
nat (any,any) source static DMZ2 DMZ2
nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp
nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN
nat (any,any) source static DMZ2 DMZ2 destination static VPN VPN
nat (inside,outside) source static pb_inside pb_inside destination static VPN VPN
!
object network obj_any
nat (any,outside) dynamic interface
object network pb_inside
nat (outside,outside) dynamic interface
Any thoughts? Users are connecting via LDAP. Thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Wait a minute... Are you saying the VPN client cannot access resources on its local LAN, or are you saying the VPN client cannot access resources at the main office?
ASKER
The vpn remote client when connected to the VPN cannot see the office network (ie servers)
Why is the remote client getting an IP thats in the same range as the corporate network? Are they getting that IP from your DHCP server? Usually I set up remote clients on their own IP Pool?
If I recall correctly, it is normal not to be able to ping the default gateway when using the Cisco VPN client.
ASKER
The VPN pool is 192.168.1.x the local network is 192.168.0.x pool
What is the IP of the inside interface?
What is the default gateway of machines on the 192.168.0.0/24 subnet?
What is the default gateway of machines on the 192.168.0.0/24 subnet?
ASKER
ip inside is 192.168.0.1
default gw is 192.168.0.1
default gw is 192.168.0.1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes
access-list acl-inside extended permit ip any any
access-list acl-inside extended permit icmp any any
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list acl-inside extended permit ip any any
access-list acl-inside extended permit icmp any any
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
ASKER
This ended up being a bug with installed version of Cisco IOS and upgraded to fixed version. Awarding assisted points
ASKER
Ethernet adapter Ethernet 6:
Connection-specific DNS Suffix . : xxxx
Link-local IPv6 Address . . . . . : fe80::9695:986a:2502:2a99%
Link-local IPv6 Address . . . . . : fe80::f812:5860:437e:fbdf%
IPv4 Address. . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : :: 192.168.1.1
I can't even ping 192.168.1.1