02-01-2017 09:04 AM - edited 03-05-2019 07:57 AM
Hello,
We have a "hub and spokes" configuration made with 4 routers Cisco 800.
Each spoke router use "crypto map staticmap" to connect to the hub router.
The "hub and spokes" config works perfectly. Each user at each branch can ping any pc in other branches. -> OK
The "hub router" is also a webvpn gateway. Mobile users use AnyConnect 4.4 to connect to the webvpn gateway and they can ping any PC in the branch hosting the "hub router". -> OK
These mobile users can NOT ping routers and computers in the spokes sites -> Not OK.
Previously, this traffic was working without problem. In the interval we have done these upgrades
We do not know if one of these upgrades is the reason of this change.
I put here relevant parts of the hub router config :
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip access-group 121 out
ip nat inside
ip virtual-reassembly in
!
interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
!
ip local pool vpnpool 192.168.20.4 192.168.20.20
access-list 51 remark ----------------------------------------
access-list 51 remark Split-include WebVPN
access-list 51 permit 192.168.4.0 0.0.0.255 = spoke
access-list 51 permit 192.168.20.0 0.0.0.255 = mobile user
access-list 51 permit 192.168.32.0 0.0.0.255 = spoke
access-list 51 permit 192.168.3.0 0.0.0.255 = spoke
access-list 51 permit 192.168.2.0 0.0.0.255 = spoke
webvpn context SSL
virtual-template 1
aaa authentication list VPN
gateway SSL1
!
ssl authenticate verify all
inservice
!
policy group default
functions svc-enabled
filter tunnel webvpn-acl
svc address-pool "vpnpool" netmask 255.255.255.0
svc keep-client-installed
svc rekey method new-tunnel
svc split include acl 51
svc dns-server primary 192.168.2.110
svc dns-server secondary 192.168.32.110
default-group-policy default
!
end
Thanks in advance for any help.
Best regards,
Guy
02-01-2017 05:51 PM
Is 192.168.20.0/24 included in the crypto domain going to each site?
Rather than old school static crypto maps between the sites, have you considered using VTI Tunnels or DMVPN. These are often easier to integrate (that means there are less problems) with user to site VPN users.
02-02-2017 12:31 PM
Thank you for you help.
Yes, in remote branches, 192.168.20.0/24 is not natted and correctly set in the ACL referenced in the static map.
I've observed this : if someone in a remote branch ping the IP of the mobile anyConnect user
- this first ping succeeds with 80%
- the following pings succeed with 100%
- the mobile anyConnect user can ping the branch -> OK
Before this ping, "show ip route" does not show any route to the mobile anyConnect user. After this ping, the route is shown.
Does this reveal a problem with the reverse route ?
ip routing is enabled on each routers and "reverse-route" is present in static/dynamic maps.
Thanks for continuing helping.
Kind regards,
Guy
02-02-2017 01:41 PM
Hello,
according to the document I linked earlier, your split include access should look like this:
access-list 51 remark ----------------------------------------
access-list 51 remark Split-include WebVPN
access-list 51 permit 192.168.4.0 0.0.0.255 = spoke
access-list 51 permit 192.168.20.0 0.0.0.255 = mobile user
access-list 51 deny 0.0.0.0 0.0.0.0
access-list 51 permit 192.168.32.0 0.0.0.255 = spoke
access-list 51 permit 192.168.3.0 0.0.0.255 = spoke
Also:
Enable Local LAN Access in the AnyConnect profile (in the Preferences Part 1 menu of the profile editor. (You also have the option to make it user controllable.)
02-03-2017 05:22 AM
Thank your for the help.
Unfortunately these 2 changes do not solve de problem.
Kind regards,
Guy
02-02-2017 12:14 AM
Hello,
with AnyConnect version 4.4, the split include tunnel behavior has changed:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/release/notes/b_Release_Notes_AnyConnect_4_4.html#id_37865
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide