01-16-2019 11:52 PM - edited 01-17-2019 12:15 AM
Dear fellow Networkers,
as attached photo
The thing is
1. Server Vlan , Local user Vlan can access AWS Cloud network
2. Remote Users using Anyconnect (session terminated on Cisco ASA) can access the network and reach Both Server, Local user Vlans, BUT they can NOT reach the aws cloud
what can I do to make them also be able to reach AWS cloud network !
01-17-2019 12:39 AM
Hello,
the ASA needs certain settings in order for the Anyconnect clients to be abe to connect to AWS. Can you post the configuration of your ASA ?
01-17-2019 07:35 AM
There are several things that could produce symptoms like you describe. Two of the most common are an issue frequently referred to as hairpinning or an issue with how the site to site vpn was set up. Hairpinning is when a data packet comes in one interface of the ASA and needs to be forwarded back out the same interface. By default the ASA does not allow this and if you want this to work you must specifically enable same security level on the ASA. The other possible issue is that in setting up the site to site vpn there is usually an access list that identifies the traffic that can be sent over the vpn. It is possible that the pool of addresses used for AnyConnect is not included in that access list.
As Georg suggests the best thing would be for you to post the config of the ASA.
HTH
Rick
01-17-2019 11:31 PM
01-18-2019 01:50 AM - edited 01-18-2019 01:59 AM
Hello,
which tunnel group belongs to AWS ? What is the AWS endpoint ? You are using non descriptive names, so it is very hard to figure out what belongs to what. Can you highlight the access lists, NAT exemptions (if applicable), group policy and tunnel group that belong to AWS ?
01-18-2019 03:45 AM
Hello,
looking at your picture again, it looks like you have the tunnel to AWS configured on your Forcepoint, so that is most likely where the problem is. Can you remote VPN users ping the Forcepoint ? What routing do you have configured between the Forcepoint and the ASA ?
01-18-2019 07:43 AM
I agree with Georg that we need better identification of where we need to focus. But there are a couple of things I notice that may point us in the right direction. I see that the crypto map that is applied to the outside interface is outside2_map. And this crypto map does not have any site to site vpn entries. So I believe that Georg is right about the vpn not being configured on the ASA. So if we believe that it is an issue with how the vpn is configured then we need to see the config where it is defined.
Also I notice that there is not any configuration for same-security-traffic. I am pretty sure that you need this for AnyConnect users to be able to access the site to site vpn. Here is a link to documentation about this command
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html
HTH
Rick
01-22-2019 06:46 AM
01-22-2019 06:46 AM
01-22-2019 06:46 AM
01-22-2019 06:47 AM - edited 01-22-2019 07:25 AM
01-22-2019 07:15 AM
Multiple copies of the same picture, as far as I can tell, are not particularly helpful. I have made a suggestion about configuring same security level on the ASA. Have you done anything about that?
Georg and I have both made the point that the vpn appears to be configured not on the ASA. If we believe that it may be an issue with the vpn then we need some information from the device where the vpn is configured.
HTH
Rick
01-22-2019 07:29 AM
01-22-2019 07:35 AM
My suggestion is to first configure same security traffic and see if the behavior changes. If there is still a problem then you need to supply information about how the vpn is configured on forcepoint.
HTH
Rick
01-22-2019 02:59 PM
Hello Rick and community,
I am trying to set up anyconnect VPN wizard from the GUI but it asks me to upload client image.
Where can I download the image can I have the link please or is there anyway to avoid that?
Thank you.
Regards,
Star
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide