Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1060
Views
10
Helpful
7
Replies

BGP Routing and VPN Access

DStringfield
Level 1
Level 1

‎06-04-2021 01:22 AM - edited ‎06-04-2021 01:23 AM

I am trying to configure BGP based routing between two sites using two ASA 5506Xs. Routing between most of the sites works fine. The one exception is the VPN networks. The subnets are configured using the Client Address Pool setting in the AnyConnect Connection Profile settings. 

Traditionally when these sites were connected via VPN Tunneling, including the VPN subnets in the source and target networks for the tunnel was sufficient.

When using BGP routing, this is not sufficient. I have tried sharing the VPN subnets as part of the BGP routing. This enabled only one way traffic: The remote non-VPN networks could route to the VPN subnets, but the VPN subnets could not route to the remote non-VPN. The end result was that users who access the VPN could route to local networks (one's specific to that site/VPN) but not the networks on the other end of the VPN. 

I believe part of the problem is that when a VPN connection is made, a /32 route is added to the routing table on the ASA that handles routing for that individual address. But I'm not sure how to resolve this while preserving the otherwise functional VPN config.

Thanks

David

Labels:
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎06-04-2021 04:18 AM

To have more clarity are you running BGP peer between site to site VPN ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎06-04-2021 05:59 AM

David

 

Clearly part of what you are describing is Remote Access VPN which allows a client PC to connect to the ASA and to access resources that are local to the ASA. It also sounds like you have a site to site vpn between the ASAs. Is that the case?

 

It would help us if we knew more about the AnyConnect vpn. In particular is AnyConnect set up for split tunnel where traffic from the PC for resources in Internet go directly to ISP and traffic for resources on ASA go through the vpn or is it set up for full tunnel where all traffic from PC goes through the vpn?

HTH

Rick
0 Helpful

DStringfield
Level 1
Level 1

‎06-11-2021 06:59 PM

Hi guys,

Yes there are currently VPN Site-to-Site tunnels which are in place to handle inter-office routing. The aim is to replace these with BGP based routing.

In terms of the Remote Access VPN, we have both Split and Full Tunnel setups (the user chooses at startup).

Thanks,

Daid

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to DStringfield

‎06-11-2021 09:56 PM

David

I am still not clear about your issue. What I think I understand is that you have 2 sites (perhaps siteA and siteB). SiteA and SiteB have site to site vpn which is working and provides connectivity for subnets at each site to reach the other site. One of the sites also has remote access vpn using AnyConnect. Am I correct in understanding that you want to discontinue the site to site vpn and instead just route traffic between sites using BP?

Am I correct in understanding that the BGP routing is working for traffic between connected subnets at both sites (any host in a subnet of siteA can access resources in subnets of siteB, and any host in a subnet of siteB can access resources in subnets of siteA) but is not working for clients using AnyConnect?

If that understanding is correct then my first guess about the issue is about address translation. You probably have a static translation (perhaps sometimes referred to as nat exemption) so that AnyConnect traffic is not translated between sites. If you remove that static translation does the behavior change?

HTH

Rick

DStringfield
Level 1
Level 1
In response to Richard Burts

‎06-14-2021 06:05 PM

Hi Rick,

No you've actually understood my issue perfectly, and you're correct that we have NAT extemptions for the AnyConnect traffic. I will remove that NAT rule and give it another go, fingers crossed that will be the solution. Thanks for getting back to me!

 

David

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to DStringfield

‎06-14-2021 11:06 PM

David

Thanks for confirming my understanding. Please do let us know the results of the change.

HTH

Rick
0 Helpful

Georg Pauwen
VIP
VIP
In response to DStringfield

‎06-14-2021 11:27 PM

Hello,

 

just in case there are still issues, post the full running comfigs of both ASAs. In addition to the NAT exemption mentioned by Richard, the AnyConnect IP address range needs (obviously) also be added to the ACL for the encrypted traffic...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card