Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Annyconnect/ASA connected users can't access local subnet

Status
Not open for further replies.
AJHay

AJHay

IS-IT--Management
Apr 6, 2011
3
GB
thread1598-1584189

Hi folks,

Got same problem as described in this thread. Win 7 domain joined PCs in remote office logged on with cached domain credentials. Plugged into router getting DHCP addresses on 192.168.129.x subnet, autoconnect to Anyconnect VPN using certificate at logon then gpupdate runs automatically to push out policy..

The PCs cannot find each other using either PC Name, or locally assigned IP address. Can see that using the name might be tricky as they are registered in DNS so it tries to go the address they get from the domain and the routes aren't setup to come in and back out or something... but very surprised that i can't even browse to or ping the 192.168.129 address they get from the local router (Cisco 877w) but can ping the router itself on 192.168.129.1.

Really need these machines to share file and print locally.

Anyone got any ideas? Thanks.
 
Sort by date Sort by votes
So they recieve a 192.168.129.x address, is that the address assigned to them by anyconnect or is that the address assigned to the machine itself to allow it to connect to the ASA?

It would be helpful to know:

The network of the remote office
The network of the VPN pool
The network of the main office

Also need to know if you are doing split tunneling or tunneling everything.
 
Upvote 0 Downvote
Hi there,

Thanks for getting back to me. I think i'm on the way to answering this myself but any further advice would be appreciated...

We are using split-include tunneling, currently setup just to route specific ranges into the main office. So everything else is going to the internet. This is part of the problem.

I've also just found some Cisco documentation about the VPN client disabling local LAN access by design. Which is the other part of the problem.

The doc talks about setting up split tunneling with exclusions for the local LAN and then enabling Local LAN access in the client profile. Problem there is that we actually have loads of remote offices who generate loads of web traffic, which we can't have coming into HQ as we don't have the bandwidth.

This is the doc i've been looking at.
We are on v8.4 of the ASA OS with anyconnect client v3 and i'm still trying to find the docs for this version but guess the principle will be similar.

So, we want to have a split-include tunnel and enable local LAN access (192.168.129.x) with all other traffic going straight out onto the web.

Any thoughts?

Don't think you need to know the network addresses any more - just a certificate in Cisco ASA/Anyconnect config!

Thanks
 
Upvote 0 Downvote
Hi Trey,

Thanks for your response. I've actually managed to get this resolved:
First we had to enable local LAN access on the connection profile on the ASAs then we had to ensure it was enabled in the actual client.
Second we had to modify the windows firewall config being pushed out with Group Policy. I don't know the detail of this as i wasn't directly involved. All fine now though.

Cheers!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
280
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
309
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
198
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
86
WhosYourDiffie
WhosYourDiffie
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
89
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top