Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2187
Views
0
Helpful
4
Replies

Cisco ASA 5506 VPN issue

sleepinfire
Level 1
Level 1

‎02-18-2020 08:04 PM

I have an ASA that has a configuration issue. The PROD network behind the ASA has connectivity from the LAN to WAN but when users try to connect from an outside network using the Cisco Secure Mobility Client the connection fails.

 

In the ASDM the connection errors outwith:

Routing failed to locate next hop for TCP from Spectrum:67.XXX.XXX.149/49747 to IBS:0.0.0.0/443

Labels:
Preview file
17 KB
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎02-18-2020 08:22 PM

Hi

Hosts you want to reach from vpn are connected to IBS or PC?

The following nat you have just be place before the 2 others to make sure asa hits this one before:
nat (IBS,Spectrum) source static any any destination static NETWORK_OBJ_10.20.1.0_24 NETWORK_OBJ_10.20.1.0_24 no-proxy-arp route-lookup

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

sleepinfire
Level 1
Level 1
In response to Francesco Molino

‎02-18-2020 08:45 PM

The PROD network is located behind the IBS interface. 

I implemented the command you provided but it did not change the outcome. 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to sleepinfire

‎02-21-2020 04:37 PM

Is the nat placed at the first position?
Can you share the config output to see please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Marius Gunnerud
VIP
VIP
In response to sleepinfire

‎02-22-2020 12:22 PM - edited ‎02-22-2020 12:24 PM

In audition to verifying that your twice NAT / no NAT statement is first in your NAT list, the issue is with your Group-policy configuration.  You have not specified a spilt tunnel policy in your GroupPolicy_SSLVPN configuration and therefore it inherits this configuration from the DfltGrpPolicy where the «notnat» ACL is specified.  This ACL is not correctly configured.  Spilt tunnel ACLs should be standard ACS (not ertended ACLs) that specify the destination IP that should be reachable from the AnyConnect VPN.

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.20.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.20.200.0 255.255.255.0

group-policy DfltGrpPolicy attributes
 dns-server value 192.168.0.10 8.8.8.8
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat
 default-domain value xxxxx.xxxxxx
 address-pools value RA_pool
 webvpn
  anyconnect profiles value sslvpn type user
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
 wins-server none
 dns-server value 192.168.0.10 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain value xxxxxxx.xxxxxx
 webvpn
  anyconnect profiles value sslvpn type user
  always-on-vpn profile-setting

Your configuration should look something like this,(change IPs as needed)

Access-list spilt-tunnel-ACL standard permit 192.168.0.0 255.255.255.0

Group-policy GroupPolicy_SSLVPN

split-tunnel-policy tunnelspecified

split-tunnel-network-list value spilt-tunnel-ACL

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card