Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1376
Views
25
Helpful
5
Replies

Trouble communicating between anyconnect clients coming over Split Tunnel ASA 5512 running 9.12

peushohel
Level 1
Level 1

‎06-26-2020 01:31 PM

Hello,

I am looking for suggestion please.   I am trying to set up the ASA so that the remote users connecting using anyconnect client can communicate each other, specifically I am trying to figure out why softphone internal extension to internal extension doesn't work.   I also tested the users can't ping each other.   The users are trying to connect using anyconnect over Splitunneling through ASA 5512 running 9.12.    I tried the nat 0 exemption but looks like nat (outside) 0 access list command is deprecated.

 

nat (outside) 0 access-list AnyConnect-NAT0
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

below are the nat statements that I currently have

nat (outside,outside) source static AnyConnect_Users AnyConnect_Users destination static AnyConnect_Users AnyConnect_Users no-proxy-arp ro

nat (outside,inside) source static AnyConnect_Users AnyConnect_Users destination static Internal_Nets Internal_Nets no-proxy-arp route-lookup

 

The current acl is allowing the Anyconnect Users in the acl

access-list AnyConnect-Split-Tunnel standard permit 10.1.96.0 255.255.255.255

 

Any suggestion will be greatly appreciated.

Thanks

5 Replies 5

Rob Ingram
VIP
VIP

‎06-26-2020 01:36 PM

Hi,
In addition to the NAT rules, you will need to use the command "same-security-traffic permit intra-interface" in order for the traffic to hairpin and route back out the same interface the traffic entered from.

HTH

peushohel
Level 1
Level 1
In response to Rob Ingram

‎06-26-2020 05:08 PM

Thanks a lot for your response.    I have the below already in place, still not working.

 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Rob Ingram
VIP
VIP
In response to peushohel

‎06-26-2020 11:14 PM

You mask (255.255.255.255) in your split-tunnel ACL looks incorrect, are you sure your split-tunnel ACL is permitting the AnyConnect routes? Check the "Route Details" tab within AnyConnect once connected to the VPN.

 

Your split-tunnel ACL should look like this.

 

access-list AnyConnect-Split-Tunnel standard permit 10.1.96.0 255.255.255.0

 

peushohel
Level 1
Level 1
In response to Rob Ingram

‎06-27-2020 08:04 AM - edited ‎06-27-2020 08:46 AM

I just checked acl, looks like when I was writing it here I wrote the wrong mask, the config has it as 255.255.255.0

Below is the config...


terminal width 160
hostname Testfw01
domain-name Testclinic.com
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
<--- More ---> xlate per-session deny udp any6 any6 eq domain
no names
no mac-address auto
ip local pool AnyConnect-VPN 10.1.96.1-10.1.96.250 mask 255.255.255.0

!
interface GigabitEthernet0/0
description Internet facing interface
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
description Internal Network facing interface
nameif inside
security-level 100
ip address 10.1.28.170 255.255.255.252
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
<--- More ---> !
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
<--- More ---> no ip address
!

ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name Testclinic.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network AnyConnect_Users
subnet 10.1.96.0 255.255.255.0
object-group network Internal_Nets
network-object 10.0.0.0 255.0.0.0
network-object 192.10.10.0 255.255.254.0
<--- More ---> network-object 192.10.12.0 255.255.252.0
network-object 192.10.16.0 255.255.254.0
network-object 172.30.1.0 255.255.255.0
network-object 10.1.90.0 255.255.255.0
network-object 10.1.80.0 255.255.255.0
network-object 10.1.21.0 255.255.255.0

access-list inside-in-acl remark Allow all outbound traffic
access-list inside-in-acl extended permit ip any4 any4
access-list inside-in-acl remark Allow all outbound traffic
access-list outside-in-acl remark Deny all inbound traffic (Does not apply to VPN traffic)
access-list outside-in-acl extended deny ip any4 any4
access-list outside-in-acl remark Deny all inbound traffic (Does not apply to VPN traffic)
access-list match-icmp-acl remark Match all ICMP traffic
access-list match-icmp-acl extended permit icmp any4 any4
access-list match-icmp-acl remark Match all ICMP traffic
access-list AnyConnect-Split-Tunnel standard permit host 192.10.10.197
access-list AnyConnect-Split-Tunnel standard permit host 10.13.46.10
access-list AnyConnect-Split-Tunnel standard permit 10.1.20.0 255.255.255.0
access-list AnyConnect-Split-Tunnel standard permit 10.1.28.0 255.255.255.0
access-list AnyConnect-Split-Tunnel standard permit 10.1.30.0 255.255.255.0
access-list AnyConnect-Split-Tunnel standard permit 10.1.31.0 255.255.255.0
access-list AnyConnect-Split-Tunnel standard permit 10.1.102.0 255.255.255.0
access-list AnyConnect-Split-Tunnel standard permit 10.1.35.0 255.255.255.0
access-list AnyConnect-Split-Tunnel standard permit 10.1.96.0 255.255.255.0
access-list RDP extended permit tcp object-group Internal_Nets object-group Internal_Nets eq 3389
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging timestamp
logging list VPN-LIST message 713000-713999
logging list VPN-LIST message 113000-113999
logging list VPN-LIST message 715000-715999
logging buffer-size 100000
logging asdm-buffer-size 512
logging monitor VPN-LIST
logging buffered warnings
logging trap notifications
logging asdm notifications
logging queue 2048
mtu outside 1500
mtu inside 1500
ip audit name info info action alarm
ip audit name attack attack action alarm
ip audit interface outside attack
ip audit interface inside attack
no failover
no failover wait-disable
no monitor-interface service-module
<--- More ---> icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7122.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (outside,inside) source static AnyConnect_Users AnyConnect_Users destination static Internal_Nets Internal_Nets no-proxy-arp route-lookup
nat (outside,outside) source static AnyConnect_Users AnyConnect_Users destination static AnyConnect_Users AnyConnect_Users no-proxy-arp route-lookup
!
object network obj-10.0.0.0
nat (inside,outside) dynamic interface
access-group outside-in-acl in interface outside
access-group inside-in-acl in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.0.0.0 10.1.28.169 1
route inside 10.1.20.0 255.255.255.0 10.1.28.169 1
route inside 10.1.70.0 255.255.255.0 10.1.28.169 1
route inside 172.30.1.0 255.255.255.0 10.1.28.169 1
route inside 192.10.10.0 255.255.255.0 10.1.28.169 1
route inside 192.10.11.0 255.255.255.0 10.1.28.169 1
route inside 192.10.12.0 255.255.255.0 10.1.28.169 1
route inside 192.10.13.0 255.255.255.0 10.1.28.169 1
route inside 192.10.14.0 255.255.255.0 10.1.28.169 1
route inside 192.10.15.0 255.255.255.0 10.1.28.169 1
<--- More ---> route inside 192.10.16.0 255.255.255.0 10.1.28.169 1
route inside 192.10.17.0 255.255.255.0 10.1.28.169 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
ldap attribute-map anyconnectLDAP
map-name memberoOf Group-Policy
map-value memberoOf "CN=Test VPN users,OU=Security Groups,OU=Groups,OU=Test,DC=Test,DC=local" RemoteUsers
aaa-server Test_LDAP protocol ldap
aaa-server Test_LDAP (inside) host 192.10.10.197
ldap-base-dn DC=Test,DC=local
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn CN=VPN LDAP,OU=Service Accounts,OU=Netgain,DC=Test,DC=local
server-type microsoft
ldap-attribute-map anyconnectLDAP
<--- More ---> aaa-server Test_LDAP (inside) host 10.13.46.10
ldap-base-dn DC=Test,DC=local
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn CN=VPN LDAP,OU=Service Accounts,OU=Netgain,DC=Test,DC=local
server-type microsoft
ldap-attribute-map anyconnectLDAP
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication login-history
http server enable

snmp-server location ZZZZZ, MN
<--- More ---> snmp-server contact Test Clinic
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
service resetinbound interface inside
service resetoutside
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map soho-dyno_map 100 set ikev1 transform-set ESP-AES-SHA
crypto map SOHO-map 100 ipsec-isakmp dynamic soho-dyno_map
crypto map SOHO-map interface outside
crypto ca trustpoint Testfw01.Testclinic.com
enrollment self
fqdn none
subject-name
ip-address 10.1.28.170
keypair idcert-kp
crl configure

crl configure

authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh timeout 15
ssh version 2
console timeout 15
management-access inside
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 30
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18
ntp server 131.107.13.100
ntp server 129.6.15.29
ntp server 129.6.15.28
ntp server 64.236.96.53
tftp-server inside 172.30.1.124 Testfw01-confg.txt
ssl server-version tlsv1.1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
enable inside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect profiles Test_VPN disk0:/Test_vpn.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value Testclinic.com
group-policy GroupPolicy_AnyConnect-VPN internal
group-policy GroupPolicy_AnyConnect-VPN attributes
wins-server none
dns-server value 192.10.10.197 10.13.46.10
vpn-simultaneous-logins 5
vpn-tunnel-protocol ssl-client
group-lock value AnyConnect-VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AnyConnect-Split-Tunnel
<--- More ---> default-domain value Test.local
vlan none
address-pools value AnyConnect-VPN
ipv6-address-pools none
webvpn
anyconnect profiles value Test_VPN type user
dynamic-access-policy-record DfltAccessPolicy

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 300 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Test_LDAP
tunnel-group AnyConnect-VPN type remote-access
tunnel-group AnyConnect-VPN general-attributes
address-pool AnyConnect-VPN
authentication-server-group Test_LDAP
default-group-policy GroupPolicy_AnyConnect-VPN
tunnel-group AnyConnect-VPN webvpn-attributes
group-alias AnyConnect-VPN enable
!
class-map RDP
match access-list RDP
<--- More ---> class-map type regex match-any match-im-cm
match regex _default_aim-messenger
match regex _default_yahoo-messenger
match regex _default_GoToMyPC-tunnel
match regex _default_gator
match regex _default_firethru-tunnel_2
match regex _default_firethru-tunnel_1
match regex _default_msn-messenger
match regex _default_x-kazaa-network
match regex _default_GoToMyPC-tunnel_2
match regex _default_icy-metadata
match regex _default_gnu-http-tunnel_uri
match regex _default_httport-tunnel
match regex _default_windows-media-player-tunnel
match regex _default_gnu-http-tunnel_arg
match regex _default_http-tunnel
match regex _default_shoutcast-tunneling-protocol
class-map inspection_default
match default-inspection-traffic
class-map match-icmp-cm
description Classify ICMP Traffic
match access-list match-icmp-acl
!
!
<--- More ---> policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no tcp-inspection
policy-map type inspect im log-im-pm
parameters
match service chat conference file-transfer games voice-chat webcam
log
match protocol msn-im yahoo-im
log
match version regex class match-im-cm
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
<--- More ---> inspect netbios
inspect tftp
inspect http
inspect im log-im-pm
inspect ipsec-pass-thru
inspect pptp
inspect snmp
class match-icmp-cm
police input 90000 1000
class RDP
set connection timeout idle 8:00:00
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile test4me-1
no active
destination address http https://tools.cisco.
com/its/service/oddce/services/DDCEService
destination address email destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Testfw01#

Rob Ingram
VIP
VIP
In response to peushohel

‎06-27-2020 08:16 AM

Are there any hits on the NAT rule? Provide the output of "show nat detail"
Run packet-tracer from the CLI and provide the output for review.
Do you have any ACLs or a VPN filter configured?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card