cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
490
Views
35
Helpful
13
Replies
Highlighted
Beginner

How can I use AnyConnect to home office then also go thought the Site to Site VPN

I have a home office where a user on IP address 10.4.4.0/24.  This user accesses private IPs at a remote site over a Site to Site VPN. 

 

now for the issue:

 

A user at home connected to the home office Via AnyConnect on an IP address of 10.4.4.0/24 can not access any of the IP addresses at the remote site.

 

The home office VPN is on the ASA and Site 2's VPN endpoint is on an IOS device.  I tried to use packet capture on the ASA but nothing shows up on the exit interface, I do see why it would not show up because it tunneled.   How can monitor traffic going through the VPN?    I put an ACL on two different interfaces; one interface is the one that has the crypto map on it the other interface leads to the core device.  I do not see any packets with a source or destination IP that I am trying to reach.  What is happening?

 

I need the AnyConnect users to be able to connect to the home office but also access our other sites IPs.

 

 

Please be detailed so I can learn from this.

13 REPLIES 13
Highlighted
VIP Advisor

Hi,
It looks like the only command you are missing is "same-security-traffic permit intra-interface" which will permit traffic to enter and exit via the same interface (FiOS).

HTH
Highlighted

Thanks for the replay.  I added the command < same-security-traffic permit intra-interface >  Its still not working.  If I trace to an internal IP at the remote site the first IP I see is the outside interface.  This makes me think its not going through the Site to Site VPN.

 

Could there be an issue with the order of operation?   ie....the AnyConnect user is not hitting the Crypto map for the VPN?

 

 

Thanks

Highlighted

Run packet-tracer and provide the output. E.g - "packet-tracer input Fios icmp 10.4.4.x 8 0 REMOTE-IP"
What is the output of "show crypto ipsec sa" does it have an active IPSec SA for the RAVPN Pool network 10.4.4.x?
Did you amend the remote firewall to include the 10.4.4.x network in the crypto ACL?
Highlighted

Run packet-tracer and provide the output. E.g - "packet-tracer input Fios icmp 10.4.4.x 8 0 REMOTE-IP"

Result of the command: "packet-tracer input Comcast icmp 10.4.4.60 8 0 8 172.21.1.1"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:
Dynamic translate 10.4.4.60/8 to X.X.X.210/8

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 188619647, packet dispatched to next module

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 82b2.341c.c1f2 hits 2978 reference 1295

Result:
input-interface: Comcast
input-status: up
input-line-status: up
output-interface: Comcast
output-status: up
output-line-status: up
Action: allow


--------------------------------------------------------------------------------------

 


Result of the command: "packet-tracer input Comcast icmp 10.4.4.60 8 0 8 172.21.1.1"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:
Dynamic translate 10.4.4.60/8 to X.X.X.210/8

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 188619647, packet dispatched to next module

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 82b2.341c.c1f2 hits 2978 reference 1295

Result:
input-interface: Comcast
input-status: up
input-line-status: up
output-interface: Comcast
output-status: up
output-line-status: up
Action: allow

 


Result of the command: "show crypto ipsec sa"

interface: Comcast
Crypto map tag: Comcast_map, seq num: 1, local addr: X.X.X.210

access-list Comcast_cryptomap extended permit ip 10.4.4.0 255.255.255.0 68.X.X.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (68.X.X.0/255.255.255.0/0/0)
current_peer: 68.X.X.1


#pkts encaps: 38681, #pkts encrypt: 38682, #pkts digest: 38682
#pkts decaps: 38423, #pkts decrypt: 38423, #pkts verify: 38423
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 38681, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 4
#PMTUs sent: 1, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: X.X.X.210/0, remote crypto endpt.: 68.X.X.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: EA0A246D
current inbound spi : 57AA85E5

inbound esp sas:
spi: 0x57AA85E5 (1470793189)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4373979/1354)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x0000003F 0xFFFFFFFF
outbound esp sas:
spi: 0xEA0A246D (3926533229)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4373982/1354)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: Comcast_map, seq num: 1, local addr: X.X.X.210

access-list Comcast_cryptomap extended permit ip 10.4.4.0 255.255.255.0 172.21.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.2.0/255.255.255.0/0/0)
current_peer: 68.X.X.1


#pkts encaps: 3881485, #pkts encrypt: 3881485, #pkts digest: 3881485
#pkts decaps: 2433312, #pkts decrypt: 2433312, #pkts verify: 2433312
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3881485, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: X.X.X.210/0, remote crypto endpt.: 68.X.X.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0D13A20E
current inbound spi : 93330341

inbound esp sas:
spi: 0x93330341 (2469593921)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4370760/1286)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0D13A20E (219390478)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4372653/1286)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: Comcast_map, seq num: 2, local addr: X.X.X.210

access-list Comcast_cryptomap_2 extended permit ip 10.4.4.0 255.255.255.0 172.21.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.1.0/255.255.255.0/0/0)
current_peer: X.X.X.X.57


#pkts encaps: 11548900, #pkts encrypt: 11548909, #pkts digest: 11548909
#pkts decaps: 16682529, #pkts decrypt: 16682529, #pkts verify: 16682529
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11548900, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 9, #pre-frag failures: 0, #fragments created: 18
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: X.X.X.210/0, remote crypto endpt.: X.X.X.X.57/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C5F23553
current inbound spi : 03AA2719

inbound esp sas:
spi: 0x03AA2719 (61482777)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1134, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4063898/6330)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC5F23553 (3320984915)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1134, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4270796/6330)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

 

Highlighted
VIP Mentor

Hello,

 

it looks like you are missing the NAT exemption. Try and add the below to your configuration:

 

nat (any,FiOS) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup

Highlighted

I should have mentioned that I now Using the Comcast interface.  I added the NAT statement just like you requested but using the Comcast interface.

 

Result is the same.  All data going through the AnyConnect VPN  is exiting out of the Comcast interface and not the tunnel :(

 

 

Any more ideals?   

Highlighted

I have made a lot of changes from the original post.  Here is the latest Config.  I really appreciate the help!

Highlighted

NAT Exemption rule - Duplicate for other destination networks (the VPN sites):-

nat (Comcast,Comcast) source static NETWORK_OBJ_10.4.4.192_26 NETWORK_OBJ_10.4.4.192_26 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp

Amend your existing default NAT rule and move to the end, to ensure this rule is not unintentially matched.

 

object network Kit
no nat (any,Comcast) dynamic interface
nat (any,Comcast) after-auto dynamic interface

 HTH

Highlighted

Hello,

 

I think the current NAT exemption uses the wrong object (network mask of /26), while the actual real subnet has a /24 mask. Get rid of:

 

nat (NYC_Internal,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.192_26 NETWORK_OBJ_10.4.4.192_26 no-proxy-arp route-lookup

 

and use:

 

nat (NYC_Internal,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup

Highlighted

Anyconnect traffic will be sourced from the outside interface (Comcast) not the inside interface (NYC_Internal).
Highlighted

Good point. I originally used the 'any' as source. I wonder if the below then works...

 

nat (any,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup

Highlighted

Thanks for everyone help.  I had to move the nat (any,Comcast)....... to the top.  A different NAT was catching it.

 

 

 

Highlighted

Hello,

 

can you post the final, working config for reference ?