I inherited an ASA5510 running 8.2(5)26. This ASA accepts AnyConnect connections, and has an IPSEC L2L tunnel back to our HQ. We have a need to have AnyConnect clients connect to this inherited ASA, and then traverse the IPSEC tunnel and hit a server at the HQ; not a big deal.

I didn't do the initial setup on this inherited ASA; I'm just tasked with making it work.

I have it setup where clients can connect with AnyConnect, and can ping a server at HQ; however, they can't hit it on port 80. When I try, I see the Sent counter increase on the client, but I don't see the Pkts counter increase on the IPSEC tunnel between the offices.

Can anybody suggest what to look for? I can ping the servers at HQ, just not hit TCP/80, which makes me think my NAT is correct.

_________________
"A problem well stated is a problem half solved". (Charles Kettering)

sysopt connection permitvpn

or something like that

_________________
http://blog.alwaysthenetwork.com

fw01# show run all | inc sysopt
sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp management

_________________
"A problem well stated is a problem half solved". (Charles Kettering)

hmmm

I agree with you on NAT being correct, but that's the only thing I can think of.

_________________
http://blog.alwaysthenetwork.com

are you permitting intra-interface traffic?

Nice, I hadn't even considered that! You think he'd be able to ping without it though?

_________________
http://blog.alwaysthenetwork.com

Ive seen it work like that, especially if your not inspecting icmp.

I bet that's it then.

_________________
http://blog.alwaysthenetwork.com

same-security-traffic permit intra-interface

yup, its in there. I'm gonna play a bit more and then give up and call TAC.

_________________
"A problem well stated is a problem half solved". (Charles Kettering)

post your subnets, and your nat statements, if possible.

I am assuming the subnet for your anyconnect clients is included in the crypto acl on both sides of your L2L tunnel back to HQ?

Yes, it is; I can ping the server at HQ via the tunnel, which in my experience, means the crytomaps and ACLs and NATs are all correct.

When I 'ping $server_ip' I see the pkt counters on the L2L tunnels increase, but I don't see it increase when I try to 'telnet $server_ip 80', which to me feels like a VPN filter, but I have none specified.

_________________
"A problem well stated is a problem half solved". (Charles Kettering)

Have you tried running any packet captures?

Never tried running one while a tunnel was up so I'm not sure if you will see it before or after the encryption (gut tells me after encryption) but it might be helpful to see if you have any egress traffic on the client when trying to run a telnet for example.

Same on the ASA if you can make a filter to single out your IP address. See if you are receiving anything etc.

_________________
The Cubicle Wizard
http://cubiclewizard.blogspot.com/

Cisco TAC says this is a bug in ASA 8.2(5.26) with AnyConnect hair-pinning; bugid CSCty32412.

_________________
"A problem well stated is a problem half solved". (Charles Kettering)