Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
0
Helpful
3
Replies

ASA U-turn traffic not working

martino-cisco
Level 1
Level 1

‎08-03-2018 01:05 PM - edited ‎02-21-2020 08:03 AM

Hello,

I have a site-to-site VPN between two remote sites which is working as expected. LAN subnets at both sites are allowed for access over the VPN. I would like to be able to access the remote site when connecting remotely via AnyConnect to the local site. And so to achieve this, I have:

 

- Configured a NAT rule to NAT the AnyConnect range to an unused range when the destination is the subnet of the remote end of the VPN tunnel. This means that in my NAT rule, the source interface is OUTSIDE and the destination interface is also OUTSIDE.

-Configured an access-list to allow the Anyconnect range outbound access

-Enabled 'same-security permit intra-interface' traffic

-Added the unused range I'm NAT'ing to to cryptomaps at both ends of the tunnel and verified the remote end is configured to route traffic for this 'unused' subnet via the VPN tunnel

 

I'm able to connect successfully to the remote site from the internal LAN on the local end. However, when testing from the AnyConnect range, it fails.

- I see ICMP traffic hit the firewall but it doesn't seem to go any further

-When testing TCP traffic, I just get a SYN timeout from the ASA logs

-It does even seem to get to the stage of traversing the VPN tunnel as the VPN tunnel doesn't come up even if I leave continuous pings running (i cleared the VPN tunnel to ensure it was down before testing from the Anyconnect range)

-Traceroute fails from the first hop

 

When I use the packet-tracer utility on ASDM, it shows the flow is allowed, showing the correct NAT translations, the correct policy and confirming it goes over the VPN. But testing from an actual machine, I get nothing.

 

Any thoughts on what could be blocking this? 

0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎08-03-2018 08:53 PM

Hi

Why are you using another network? You can use the same and do a nat exemption.
You've added this new network into your crypto acl, but what about the other end?
Do you have a full tunnel or split tunnel?
If split tunnel, i believe you've added the remote LAN subnet because you said you have seen packets reaching asa.
Do you have any filter acl for anyconnect clients?

Can you share please your config and output of packet-tracer?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

martino-cisco
Level 1
Level 1
In response to Francesco Molino

‎08-04-2018 08:00 AM

Hi Francesco,

Thanks for getting back to me. I have now resolved this. It turned out to be a human issue and not a firewall issue unfortunately. The person configuring the remote end had added the new subnet but did not commit the change (as required with that firewall vendor) and so it was not applied to the running config.

 

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to martino-cisco

‎08-05-2018 02:45 PM

Ok, thanks for letting us know and glad everything works now.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card