TransWikia.com

Ping LAN via Anyconnect VPN

Network Engineering Asked by jrmybeaud on November 17, 2021

I’m trying to configure the VPN on a Cisco ASA 5510. I can connect to it without any problem and I can ping my switch (172.16.1.2/24) but I can’t ping the gateway (172.16.1.1/24) nor the Google public DNS.

Here is my config :

ASA Version 9.1(1)
!
hostname ciscoasa
names
ip local pool VPN-POOL 172.16.50.1-172.16.50.10 mask 255.255.255.0
!
interface Ethernet0/0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/1
    channel-group 1 mode active
    no nameif
    no security-level
    no ip address
!
interface Ethernet0/2
    channel-group 1 mode active
    no nameif
    no security-level
    no ip address
!
interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
!
interface Management0/0
    management-only
    shutdown
    no nameif
    no security-level
    no ip address
!
interface Port-channel1
    nameif inside
    security-level 100
    ip address 172.16.1.1 255.255.255.0
!
ftp mode passive
object network obj-anyconnect
    subnet 172.16.50.0 255.255.255.0
object network inside-global
    subnet 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_1
    network-object 172.16.1.0 255.255.255.0
    network-object object obj-anyconnect
object-group service DM_INLINE_SERVICE_1
    service-object icmp
    service-object tcp-udp destination eq domain
    service-object tcp-udp destination eq www
    service-object tcp destination eq https
access-list global_access extended permit icmp any4 any4
access-list Any standard permit 172.16.1.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit ip object obj-anyconnect object inside-global
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-global inside-global destination static obj-anyconnect obj-anyconnect
nat (any,outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group global_access global
!
router ospf 1
    network 172.16.1.0 255.255.255.0 area 0
    area 0
    log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 160.98.6.25 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 160.98.0.0 255.255.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint SelfsignedCert
    enrollment self
    subject-name CN=ciscoasa
    keypair SSLCert
    crl configure
crypto ca trustpool policy
crypto ca certificate chain SelfsignedCert
    certificate 82afec57
        308202d4 308201bc a0030201 02020482 afec5730 0d06092a 864886f7 0d010105
        0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
        86f70d01 09021608 63697363 6f617361 301e170d 31363130 30363131 31373334
        5a170d32 36313030 34313131 3733345a 302c3111 300f0603 55040313 08636973
        636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
        0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100bc
        e91e00f4 aeb6b1e5 4e579492 4abd0d6d 94bb8809 807f7fe8 e85a3771 89a92128
        43a942e5 b23f843e 0dd0a7e6 8bd74737 8c4caa21 6e13b306 25399f58 ba389a67
        b4c92552 883a6b1a d4a3066a ad42ef39 d0912086 08fcd1a4 f06ba6c6 c7f20343
        88eb339a 9dac789c b3bc4576 d99cc520 280dd608 30010f91 9f883861 373996ac
        a0ab2024 2cbb20d1 f53d0092 ac854d01 a9726e79 2624aab9 11b41d42 639e250f
        3703b0f8 8f1269b7 029fefad 539bb7c2 298a7753 36fd6af4 d2d7c93f caecb446
        aef2c298 a9fae6cd b7acac65 2b9afa0c ec181f42 0de75545 325b959f c46a3085
        4f53844f 6bad59f3 93a7ad96 0ec572a7 506f4477 5dc173c8 9229ba09 f0e5b702
        03010001 300d0609 2a864886 f70d0101 05050003 82010100 7a933c83 d10399f6
        7a390c7d a425551d 78dc604f e8cfdd7c 61b3be05 0376059f a5a02960 07d63f1f
        f4bc98c6 b62aa170 c8e164da e559256e 8be5a831 38fbbacb f2785f33 8aeb2707
        a7d42227 253e6fa1 196ee003 46ec604e 43a21de8 8d86c5ca cb1b3498 1f535123
        d22339da 42c3b08f d2a99abb 4de02a70 1ccca085 dbf3c124 3ffb2fd5 b70fe04a
        fea0718c b37e35a3 9c73320c 882ddf42 46127071 3db606aa 53c63483 2de07373
        7d0c7070 52d56e23 37bd0487 1c8391c4 c75a2006 ee5ccb44 e638d9d2 21879e36
        af699fb2 e8b73fd3 6bedec3f eb4518f5 cddcc27f 132b67bb 8ec133a5 cc0fce6f
        4ead7b54 af1bc6fb e2ec4665 2002c8a0 c716ade1 e5f8fece
    quit
telnet timeout 5
ssh 160.98.0.0 255.255.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point SelfsignedCert outside
webvpn
    enable outside
    anyconnect image disk0:/anyconnect-macosx-i386-3.1.04066-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
group-policy GroupPolicy_employer internal
group-policy GroupPolicy_employer attributes
    wins-server none
    dns-server value 8.8.8.8
    vpn-tunnel-protocol ssl-client
    default-domain none
username user password xxxx encrypted
tunnel-group employer type remote-access
tunnel-group employer general-attributes
    address-pool VPN-POOL
    default-group-policy GroupPolicy_employer
tunnel-group employer webvpn-attributes
    group-alias employer enable
!
class-map inspection_default
    match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
    parameters
        message-length maximum client auto
        message-length maximum 512
policy-map global_policy
    class inspection_default
        inspect dns preset_dns_map
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect rsh
        inspect rtsp
        inspect esmtp
        inspect sqlnet
        inspect skinny
        inspect sunrpc
        inspect xdmcp
        inspect sip
        inspect netbios
        inspect tftp
        inspect ip-options
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fb98abef6a3811bb0306150b705b9fc1

One Answer

1) To allow traffic from the Anyconnect client (which is on the outside) to go to the Internet (also outside) you need to enable:

same-security-traffic permit intra-interface

This is also known as Hairpinning since the traffic makes a U-turn at the firewall.

cfr. Permitting Intra-Interface Traffic (Hairpinning)


2) To allow the ping to the inside interface to work from the outside, you need:

management-access inside

Note that this will also enable other forms of to-the-box traffic (SNMP, SSH, etc.) over the tunnel. See Enabling Management Access


3) To make ping work through the ASA you may also need

policy-map global_policy
    class inspection_default
        inspect icmp

4) To make ping work TO the ASA inside interface, you may also need

icmp permit obj-anyconnect inside

Answered by hertitu on November 17, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP