Solved: Can not get data flow through a RA-VPN - Page 2

TheGoob · ‎02-28-2025

Hello

So I followed this guide https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215532-configure-remote-access-vpn-on-ftd-manag.html

And after I set it all up, I have verified via CLI that I am indeed connected [from ihpone] using the

show vpn-sessiondb anyconnect

I connect but I can n ping 8.8.8.8, google.com or any LAN IP. It is like it connects, to nothing.

The only variation I had done was create my own cert, as I have no existing cert to upload, so maybe on the cert I selected an incorrect security or something.. Also, I wanna verify...

Local Address Assignment to AnyConnect = the fake new virtual IP network to connect to, NOT on my existing FTD

and

local network behind the FDM = the existing Network I want my VPN to have access to? or is this also a new virtual ip network?

TheGoob · ‎03-01-2025

Alright, I am clearly not getting this. I started fro scratch using the video guide.

I get through it all, and like the video, verify I connect but no LAN access, No Internet Access. This is fine, he then goes to explain the ACL's. I do as he says, add an ACL for RAVPN to Inside... I apply and then reconnect with my Anyconnect App. I connect, but still no LAN access; can not ping anything local.

I will not even explain the next part [Internet Access] as that does not work either, but I guess I will explain it.

So, I already HAVE A 192.168.5.0/24 [vlan7 (Interface)] that is my LAN. I am using this same LAN Network as thew FDM "Local" Network (or is this an issue?). So like in the video, I make a NAT for [Outbound] and select the Anyconnect_VPN_Pool [10.0.1.0/24] as the Source and apply it to the outside Interface and Source 5.0_WAN (Which is my Gateway IP) and it errors out "overlapping pool" cause I already have a vlan7 NAT to 5.0_WAN.

Honestly, for now, I will deal with the Internet Access/WAN issue later. I wanna do baby steps, being, I want to at least have LAN access which is my initial and most important feature.

UPDATE UPDATE UPDATE

So, I connect and have INTERNET ACCESS [Verified my WAN IP on my iphone is my HOME WAN IP] so the Internet side works, but I have no access LAN side, how strange.

liviu.gheorghe · ‎03-01-2025

How are you verifying internal LAN access from your iphone? Keep in mind that when you are connected to the RA VPN your source address is assigned by the firewall from the VPN pool you configured. Make sure the hosts on the inside network accept IP traffic sourced from yje subnet of the configured VPN pool.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-01-2025

Well, I am verifying it by the fact I can not ping any IP address in the LAN. I can not connect to any services either.. So for example my Anyconnect_VPN_Pool is 10.0.1.0/24 and my LAN on the FDM is 192.168.5.0/24, I can not, on iphone, ping anything 192.168.5.0/24. I have a torrent server running 192.168.5.35:8080 and it can not connect to it.

The ACL I made is as such;

TheGoob · ‎03-01-2025

Got connectivity to LAN, though not sure if it is right. I simply added every vlan to the INSIDE INTERFACES allowed access on the VPN and then every Inside Network to the INSIDE NETWORKS allowed access on the VPN.

Which is fine, as I have 6 Networks I would like to be able to have access to via RA-VPN.

liviu.gheorghe · ‎03-01-2025

Where did you add every vlan to the INSIDE INTERFACES? In the NAT Exempt section of the configuration?

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-01-2025

Hey there

Correct, in the NAT exempt. I tried various formats and will only connect interconnected if all are added (vlans/interfaces) and Networks

liviu.gheorghe · ‎03-01-2025

Just around the time you posted that it works I was thinking it might be the case with NAT exempt.

This is needed because the order in which the firewall processes tasks on packets arriving or exiting an interface. NAT is done before encryption, so in order to match correctly the traffic that needs encription, you should not perform NAT on it.

Here are some details about this feature: https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-01-2025

Alright so I won’t lie, I read it and though I can see the process I still can’t see how I would have even known about this as an issue.
As a whole are you saying I should NOT have NAT Exemption or that I do, but being the order of process that I need to add the specific networks to be done with encryption?
Trying to read your response and associate it with the link.
In the config, is NAT exemption putting the listed interfaces before or after encryption, or is it making them exempt from encryption?

liviu.gheorghe · ‎03-01-2025

@TheGoob wrote:

Alright so I won’t lie, I read it and though I can see the process I still can’t see how I would have even known about this as an issue.
As a whole are you saying I should NOT have NAT Exemption or that I do, but being the order of process that I need to add the specific networks to be done with encryption?

Yes, NAT exempt needs to be configured in order for traffic between your VPN clients and the Inside Networks, that you defined when configuring NAT exempt, is encrypted correctly.

Trying to read your response and associate it with the link.
In the config, is NAT exemption putting the listed interfaces before or after encryption, or is it making them exempt from encryption?

NAT exemption is not NAT-ing traffic between your VPN clients (IPs from 10.0.1.0/24) and your internal networks. This way traffic that needs to be encrypted is correctly identified, marked and encrypted.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-01-2025

Crazy. I get it but I don’t. I’ll continue doing some reading and what not see if it clicks in terms of recreating it with purpose instead of stumbling upon the solution.