Solved: Anyconnect on CSR 1000v at AWS

j.beckner · ‎10-25-2018

I am testing the CSR 1000v at AWS.

I have setup Anyconnect on a CSR 1000v. I am able to connect with my Anyconnect client, but am not able to access an inside host on the AWS subnet on the inside private interface. From the Anyconnect client I am able to ping the IP address of the CSR inside interface, but not the inside host. I can ping the host from the CSR.

I also have setup and working on the CSR the following:

Zone Based Firewall

DMVPN hub works ok, can access the inside host from remote site.

Outbound dynamic NAT works from inside host to Internet.

Inbound static NAT RDP to inside host from Internet.

Does Anyconnect actually work on the CSR 1000v?

Any suggestions would be appreciated.

j.beckner · ‎10-26-2018

I just now figured out how to make this work. I used an address pool that was outside the subnet of the CSR inside interface. In this case the CSR inside interface connected to the AWS inside subnet has address 10.20.30.5/24, and I set the anyconnect client address pool in the 10.30.1.0/24 subnet. This way the AWS subnet used its default route to the CSR instead of ip proxy-arp to reach the client.

It looks like maybe either the AWS subnet doesn't like proxy-arp, or maybe the CSR 1000v doesn't support proxy-arp.

View solution in original post

j.beckner · ‎10-26-2018

I just now figured out how to make this work. I used an address pool that was outside the subnet of the CSR inside interface. In this case the CSR inside interface connected to the AWS inside subnet has address 10.20.30.5/24, and I set the anyconnect client address pool in the 10.30.1.0/24 subnet. This way the AWS subnet used its default route to the CSR instead of ip proxy-arp to reach the client.

It looks like maybe either the AWS subnet doesn't like proxy-arp, or maybe the CSR 1000v doesn't support proxy-arp.