Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1685
Views
5
Helpful
5
Replies

AnyConnect Configuration - Tunnel subnets that are on "Static Routes"

Go to solution
Jonher937
Level 1
Level 1

‎09-26-2012 11:20 AM - edited ‎03-11-2019 04:59 PM

Hi!

I've been trying to setup my Cisco ASA to handle VPN connections to a couple of subnets.

So we have a LAN which we have XenServers on (Lab environment)

On these machines we have a pfSense each to get a public IP so that we can NAT services to our virtual machines.

We are currently running AnyConnect to reach the managemen network "172.20.20.0/24"

But the pfSense's have their own IP's on this management vlan. So I thought that I could setup a static route to them.

So I did setup the route, I can now ping all the subnets.

The next thing to do is to get the AnyConnect to be able to reach all of these subnets.

I'll post a image that describes our network topology:

And I think i've got everything right. But it seems that something is missing. I've run out of ideas, and im still learning.

So it could just be soemthing easy. I will attach the network sketch and the config.

Thanks!

Best Regars:

Jonathan Herlin

Labels:
135731-runningconfig.txt.zip
140 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harish Balakrishnan
Spotlight
Spotlight

‎09-26-2012 10:51 PM

Hello Jonathan

I tried to undertstand your scenario and configuration. It looks like the identity NAT is breaking the configuration.

Could you do the following and see how does it go

object network vpnpool
     subnet 192.168.60.0 255.255.255.0


nat (inside,outside) 1 source static any any destination static vpnpool vpnpool

Please rate all helpful posts

Regards

Harish.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Harish Balakrishnan
Spotlight
Spotlight

‎09-26-2012 10:51 PM

Hello Jonathan

I tried to undertstand your scenario and configuration. It looks like the identity NAT is breaking the configuration.

Could you do the following and see how does it go

object network vpnpool
     subnet 192.168.60.0 255.255.255.0


nat (inside,outside) 1 source static any any destination static vpnpool vpnpool

Please rate all helpful posts

Regards

Harish.

0 Helpful

Go to solution
Jonher937
Level 1
Level 1
In response to Harish Balakrishnan

‎09-27-2012 12:48 AM

I tried the commands you wrote.

When I do the packet-trace I get the following.

ASA5505(config)# packet-tracer input inside tcp 192.168.60.100 80 172.20.23.68$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb52a1f0, priority=1, domain=permit, deny=false

        hits=65188, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.20.23.0     255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb51d4b0, priority=13, domain=permit, deny=false

        hits=453, user_data=0xc9635ee0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb52def8, priority=0, domain=inspect-ip-options, deny=true

        hits=51642, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 5

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcc3fd5f8, priority=0, domain=user-statistics, deny=false

        hits=51667, user_data=0xcc28aaf0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=any, output_ifc=inside

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xcb52def8, priority=0, domain=inspect-ip-options, deny=true

        hits=51644, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xcc3fd5f8, priority=0, domain=user-statistics, deny=false

        hits=51668, user_data=0xcc28aaf0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=any, output_ifc=inside

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 52463, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ASA5505(config)#

So it seems to work, but I can't access "172.20.20.11" which is one of the static route pfSense's. May be that the Cisco is proppertly configured, but can't work with the pfSense's.

And I can't figure out where the packet is going, cause it seems like the package reaches the pfSense without any problems?

And the pfSense is working just fine.

/ Jonathan

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to Jonher937

‎09-27-2012 01:03 AM

Hello Jonathan

Happy to hear that it worked. regarding 172.20.20.11  what is this device and I am suspecting the reverse route from that device back to your vpn pool.

regards

Harish.

Go to solution
Jonher937
Level 1
Level 1
In response to Harish Balakrishnan

‎09-27-2012 11:17 AM

Hi again!

I had forgot to assign the static route to the LAN interface on the pfSense.

BIG THANKS!

/ Jonathan

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to Jonher937

‎09-27-2012 11:24 AM

Excellent..  and Thanks for rating me

Harish

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card