topic Re: AnyConnect Configuration - Tunnel subnets that are on "Stati in Network Security

AnyConnect Configuration - Tunnel subnets that are on "Static Routes"

Jonher937 — Mon, 11 Mar 2019 23:59:44 GMT

Hi!

I've been trying to setup my Cisco ASA to handle VPN connections to a couple of subnets.

So we have a LAN which we have XenServers on (Lab environment)

On these machines we have a pfSense each to get a public IP so that we can NAT services to our virtual machines.

We are currently running AnyConnect to reach the managemen network "172.20.20.0/24"

But the pfSense's have their own IP's on this management vlan. So I thought that I could setup a static route to them.

So I did setup the route, I can now ping all the subnets.

The next thing to do is to get the AnyConnect to be able to reach all of these subnets.

I'll post a image that describes our network topology:

And I think i've got everything right. But it seems that something is missing. I've run out of ideas, and im still learning.

So it could just be soemthing easy. I will attach the network sketch and the config.

Thanks!

Best Regars:

Jonathan Herlin

AnyConnect Configuration - Tunnel subnets that are on "Static Ro

Harish Balakrishnan — Thu, 27 Sep 2012 05:51:41 GMT

Hello Jonathan

I tried to undertstand your scenario and configuration. It looks like the identity NAT is breaking the configuration.

Could you do the following and see how does it go

object network vpnpool
subnet 192.168.60.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static vpnpool vpnpool

Please rate all helpful posts

Regards

Harish.

Re: AnyConnect Configuration - Tunnel subnets that are on "Stati

Jonher937 — Thu, 27 Sep 2012 07:48:58 GMT

I tried the commands you wrote.

When I do the packet-trace I get the following.

ASA5505(config)# packet-tracer input inside tcp 192.168.60.100 80 172.20.23.68$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb52a1f0, priority=1, domain=permit, deny=false

hits=65188, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.20.23.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb51d4b0, priority=13, domain=permit, deny=false

hits=453, user_data=0xc9635ee0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb52def8, priority=0, domain=inspect-ip-options, deny=true

hits=51642, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcc3fd5f8, priority=0, domain=user-statistics, deny=false

hits=51667, user_data=0xcc28aaf0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=any, output_ifc=inside

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xcb52def8, priority=0, domain=inspect-ip-options, deny=true

hits=51644, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xcc3fd5f8, priority=0, domain=user-statistics, deny=false

hits=51668, user_data=0xcc28aaf0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=any, output_ifc=inside

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 52463, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ASA5505(config)#

So it seems to work, but I can't access "172.20.20.11" which is one of the static route pfSense's. May be that the Cisco is proppertly configured, but can't work with the pfSense's.

And I can't figure out where the packet is going, cause it seems like the package reaches the pfSense without any problems?

And the pfSense is working just fine.

/ Jonathan

Re: AnyConnect Configuration - Tunnel subnets that are on "Stati

Harish Balakrishnan — Thu, 27 Sep 2012 08:03:26 GMT

Hello Jonathan

Happy to hear that it worked. regarding 172.20.20.11 what is this device and I am suspecting the reverse route from that device back to your vpn pool.

regards

Harish.

AnyConnect Configuration - Tunnel subnets that are on "Static Ro

Jonher937 — Thu, 27 Sep 2012 18:17:17 GMT

Hi again!

I had forgot to assign the static route to the LAN interface on the pfSense.

BIG THANKS!

/ Jonathan

AnyConnect Configuration - Tunnel subnets that are on "Static Ro

Harish Balakrishnan — Thu, 27 Sep 2012 18:24:27 GMT

Excellent.. and Thanks for rating me

Harish