cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

301
Views
0
Helpful
1
Replies
Beginner

Internet Access through Remote Access VPN (AnyConnect) for clients not working

Hi, I am looking for some assistance with configuring/troubleshooting our Remote Access VPN settings in part of access Internet through VPN connection.

 

We use Cisco 5516-x with Firepower Management Center. 

 

We already configured two connection profiles. The first one, with Split tunneling, works perfectly, both the Internet and access to our networks working as they should.  Second connection profile with "Allow all traffic over tunnel" in split tunneling option,  grant access only to local networks, Internet access through VPN not working, this is what we want to deal with.

 

We use two providers scheme, ISP1 grants Internet access, with default route metric 1. ISP2 grants VPN access with default route metric 2. I allowed ISP2 to ISP1 traffic with source VPN address pool and destination any addresses in ACL. Also, I created a dynamic NAT rule which should translate IP address from VPN address pool to external IP of ISP1 interface (like I did to NAT traffic from local networks to the Internet).

 

Also, I tried Packet Tracer with source IP: IP from VPN address pool, dest IP: 8.8.8.8, and it seems OK. PT shows me Allow. But in Real life, it doesn't work for some reason

 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ISP1_GW_IP using egress ifc  outside_ISP1

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc outside_ISP2 object VPNPool-10.72.1.0-24 ifc outside_ISP1 any rule-id 268436480 
access-list CSM_FW_ACL_ remark rule-id 268436480: ACCESS POLICY: Base Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436480: L7 RULE: VPN_to_Internet
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class_map_AllowAll
 match access-list AllowAll
policy-map global_policy
 class class_map_AllowAll
  set connection timeout idle 1:00:00 embryonic 0:00:30 half-closed 0:10:00 
        idle 1:00:00 
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network VPNPool-10.72.1.0-24
 nat (outside_ISP2,outside_ISP1) dynamic interface
Additional Information:
Dynamic translate 10.72.1.5/0 to ISP1_ASA_IP/15209

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 4088964, packet dispatched to next module

Phase: 13
Type: EXTERNAL-INSPECT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 14
Type: SNORT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
Session: new snort session
Firewall: allow rule,  'VPN_to_Internet' , allow
Snort id 0, NAP id 2, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ISP1_GW_IP using egress ifc  outside_ISP1

Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 04b0.e7a8.2a2d hits 10 reference 1

Result:
input-interface: outside_ISP2
input-status: up
input-line-status: up
output-interface: outside_ISP1
output-status: up
output-line-status: up
Action: allow

 How can we overcome this issue?

Everyone's tags (1)
1 REPLY 1
Highlighted
Beginner

Re: Internet Access through Remote Access VPN (AnyConnect) for clients not working

I also tried to play with Tunneled checkbox in Static Route options for the default route, but it gave me no effect. 

The issue is still opened, any suggestions? 

 

 

Spoiler

(Optional) For a default route, click the Tunneled checkbox to define a separate default route for VPN traffic.

You can define a separate default route for VPN traffic if you want your VPN traffic to use a different default route than your non VPN traffic. For example, traffic incoming from VPN connections can be easily directed towards internal networks, while traffic from internal networks can be directed towards the outside. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the device that cannot be routed using learned or static routes, is sent to this route. You can configure only one default tunneled gateway per device. ECMP for tunneled traffic is not supported.

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here