Page 1 of 1

Can connect with Anyconnect but can't ping!

Posted: Wed Apr 22, 2015 5:48 am
by apostolos2007
Hello guys!
I have spent many hours trying to solve the connectivity between my Anyconnect client (IP 10.2.0.10, and IP 10.4.0.1/24 from the VPN POOL) and my LAN network (10.3.0.0/24).

I have an ASA 8.4(2) with the following interfaces:
inside - 10.3.0.2/24
outside - 20.1.1.1/24
dmz - 172.16.1.1/24

I have a router (R2) connected to the ASA from the outside with IP 20.1.1.2/24 and another interface (IP 20.1.2.2/24) connected to R3 (IP 20.1.2.3) which is also connected to a host (10.2.0.10) through another interface (10.2.0.1/24)

I have configured EIGRP between ASA, R2 and R3 in order to have connectivity with each other.

I can connect from the host (10.2.0.1/24) to the ASA with Anyconnect and i also get an IP (10.4.0.1) from the following pool: 10.4.0.1-10.4.0.10/24

In order to be able to ping the inside interface of ASA (10.3.0.2) i typed "route-lookup" in the following NAT Rule:

Code: Select all

[b]nat (inside,outside) source static any any destination static NETWORK_OBJ_10.4.0.0_28 NETWORK_OBJ_10.4.0.0_28 route-lookup[/b]


BUT i have also some other host on that LAN Network (10.3.0.0/24) that i cannot ping.
For example 10.3.0.1.

Do i need an access list? and if so, where should i apply it? I'm at a loss.. can you help me? Thanks in advance!!!!

Here is some code that relates to the ASA configuration:

Code: Select all

object network Windows2012_server_Int
 host 172.16.1.10
object network Windows2012_server_Out
 host 20.1.1.3
object network NETWORK_OBJ_10.4.0.0_28
 subnet 10.4.0.0 255.255.255.240

access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.3.0.0 255.255.255.0 object NETWORK_OBJ_10.4.0.0_28

access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz

ip local pool POOL_10 10.4.0.1-10.4.0.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin
no asdm history enable

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.4.0.0_28 NETWORK_OBJ_10.4.0.0_28 route-lookup

router eigrp 2
 network 10.3.0.0 255.255.255.0
 network 20.1.1.0 255.255.255.0

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
 wins-server none
 dns-server value 172.16.1.10
 vpn-tunnel-protocol ssl-client
 default-domain none

tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool POOL_10
 default-group-policy GroupPolicy_Anyconnect
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable


Here is the routing table of ASA:

Code: Select all

Gateway of last resort is not set

D    20.0.0.0 255.0.0.0 is a summary, 0:28:46, Null0
C    20.1.1.0 255.255.255.0 is directly connected, outside
D    20.1.2.0 255.255.255.0 [90/30720] via 20.1.1.2, 0:28:46, outside
C    172.16.1.0 255.255.255.0 is directly connected, dmz
D    10.2.0.0 255.255.255.0 [90/33280] via 20.1.1.2, 0:28:46, outside
C    10.3.0.0 255.255.255.0 is directly connected, inside
D    10.0.0.0 255.0.0.0 is a summary, 0:28:46, Null0
Here is the routing table of R3 (the router connected to the Anyconnect client:

Code: Select all

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C        10.2.0.0/24 is directly connected, FastEthernet1/0
L        10.2.0.1/32 is directly connected, FastEthernet1/0
      20.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D        20.1.1.0/24 [90/3072] via 20.1.2.2, 00:35:25, GigabitEthernet0/0
C        20.1.2.0/24 is directly connected, GigabitEthernet0/0
L        20.1.2.3/32 is directly connected, GigabitEthernet0/0
What do i do wrong?