Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1473
Views
35
Helpful
13
Replies

How can I use AnyConnect to home office then also go thought the Site to Site VPN

Wan_Whisperer
Level 1
Level 1

‎07-09-2020 01:44 PM

I have a home office where a user on IP address 10.4.4.0/24.  This user accesses private IPs at a remote site over a Site to Site VPN. 

 

now for the issue:

 

A user at home connected to the home office Via AnyConnect on an IP address of 10.4.4.0/24 can not access any of the IP addresses at the remote site.

 

The home office VPN is on the ASA and Site 2's VPN endpoint is on an IOS device.  I tried to use packet capture on the ASA but nothing shows up on the exit interface, I do see why it would not show up because it tunneled.   How can monitor traffic going through the VPN?    I put an ACL on two different interfaces; one interface is the one that has the crypto map on it the other interface leads to the core device.  I do not see any packets with a source or destination IP that I am trying to reach.  What is happening?

 

I need the AnyConnect users to be able to connect to the home office but also access our other sites IPs.

 

 

Please be detailed so I can learn from this.

Labels:
Preview file
25 KB
0 Helpful
13 Replies 13

Rob Ingram
VIP
VIP

‎07-09-2020 02:09 PM

Hi,
It looks like the only command you are missing is "same-security-traffic permit intra-interface" which will permit traffic to enter and exit via the same interface (FiOS).

HTH

Wan_Whisperer
Level 1
Level 1
In response to Rob Ingram

‎07-09-2020 02:36 PM

Thanks for the replay.  I added the command < same-security-traffic permit intra-interface >  Its still not working.  If I trace to an internal IP at the remote site the first IP I see is the outside interface.  This makes me think its not going through the Site to Site VPN.

 

Could there be an issue with the order of operation?   ie....the AnyConnect user is not hitting the Crypto map for the VPN?

 

 

Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to Wan_Whisperer

‎07-09-2020 02:44 PM

Run packet-tracer and provide the output. E.g - "packet-tracer input Fios icmp 10.4.4.x 8 0 REMOTE-IP"
What is the output of "show crypto ipsec sa" does it have an active IPSec SA for the RAVPN Pool network 10.4.4.x?
Did you amend the remote firewall to include the 10.4.4.x network in the crypto ACL?

Wan_Whisperer
Level 1
Level 1
In response to Rob Ingram

‎07-09-2020 03:18 PM

Run packet-tracer and provide the output. E.g - "packet-tracer input Fios icmp 10.4.4.x 8 0 REMOTE-IP"

Result of the command: "packet-tracer input Comcast icmp 10.4.4.60 8 0 8 172.21.1.1"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:
Dynamic translate 10.4.4.60/8 to X.X.X.210/8

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 188619647, packet dispatched to next module

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 82b2.341c.c1f2 hits 2978 reference 1295

Result:
input-interface: Comcast
input-status: up
input-line-status: up
output-interface: Comcast
output-status: up
output-line-status: up
Action: allow


--------------------------------------------------------------------------------------

 


Result of the command: "packet-tracer input Comcast icmp 10.4.4.60 8 0 8 172.21.1.1"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:
Dynamic translate 10.4.4.60/8 to X.X.X.210/8

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 188619647, packet dispatched to next module

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 82b2.341c.c1f2 hits 2978 reference 1295

Result:
input-interface: Comcast
input-status: up
input-line-status: up
output-interface: Comcast
output-status: up
output-line-status: up
Action: allow

 


Result of the command: "show crypto ipsec sa"

interface: Comcast
Crypto map tag: Comcast_map, seq num: 1, local addr: X.X.X.210

access-list Comcast_cryptomap extended permit ip 10.4.4.0 255.255.255.0 68.X.X.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (68.X.X.0/255.255.255.0/0/0)
current_peer: 68.X.X.1


#pkts encaps: 38681, #pkts encrypt: 38682, #pkts digest: 38682
#pkts decaps: 38423, #pkts decrypt: 38423, #pkts verify: 38423
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 38681, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 4
#PMTUs sent: 1, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: X.X.X.210/0, remote crypto endpt.: 68.X.X.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: EA0A246D
current inbound spi : 57AA85E5

inbound esp sas:
spi: 0x57AA85E5 (1470793189)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4373979/1354)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x0000003F 0xFFFFFFFF
outbound esp sas:
spi: 0xEA0A246D (3926533229)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4373982/1354)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: Comcast_map, seq num: 1, local addr: X.X.X.210

access-list Comcast_cryptomap extended permit ip 10.4.4.0 255.255.255.0 172.21.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.2.0/255.255.255.0/0/0)
current_peer: 68.X.X.1


#pkts encaps: 3881485, #pkts encrypt: 3881485, #pkts digest: 3881485
#pkts decaps: 2433312, #pkts decrypt: 2433312, #pkts verify: 2433312
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3881485, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: X.X.X.210/0, remote crypto endpt.: 68.X.X.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0D13A20E
current inbound spi : 93330341

inbound esp sas:
spi: 0x93330341 (2469593921)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4370760/1286)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0D13A20E (219390478)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4372653/1286)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: Comcast_map, seq num: 2, local addr: X.X.X.210

access-list Comcast_cryptomap_2 extended permit ip 10.4.4.0 255.255.255.0 172.21.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.1.0/255.255.255.0/0/0)
current_peer: X.X.X.X.57


#pkts encaps: 11548900, #pkts encrypt: 11548909, #pkts digest: 11548909
#pkts decaps: 16682529, #pkts decrypt: 16682529, #pkts verify: 16682529
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11548900, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 9, #pre-frag failures: 0, #fragments created: 18
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: X.X.X.210/0, remote crypto endpt.: X.X.X.X.57/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C5F23553
current inbound spi : 03AA2719

inbound esp sas:
spi: 0x03AA2719 (61482777)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1134, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4063898/6330)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC5F23553 (3320984915)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1134, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4270796/6330)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

 

0 Helpful

Georg Pauwen
VIP
VIP

‎07-09-2020 03:11 PM

Hello,

 

it looks like you are missing the NAT exemption. Try and add the below to your configuration:

 

nat (any,FiOS) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup

Wan_Whisperer
Level 1
Level 1
In response to Georg Pauwen

‎07-09-2020 04:39 PM

I should have mentioned that I now Using the Comcast interface.  I added the NAT statement just like you requested but using the Comcast interface.

 

Result is the same.  All data going through the AnyConnect VPN  is exiting out of the Comcast interface and not the tunnel :(

 

 

Any more ideals?   

0 Helpful

Wan_Whisperer
Level 1
Level 1
In response to Wan_Whisperer

‎07-09-2020 05:20 PM

I have made a lot of changes from the original post.  Here is the latest Config.  I really appreciate the help!

Preview file
30 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to Wan_Whisperer

‎07-09-2020 11:16 PM - edited ‎07-10-2020 12:19 AM

NAT Exemption rule - Duplicate for other destination networks (the VPN sites):-

nat (Comcast,Comcast) source static NETWORK_OBJ_10.4.4.192_26 NETWORK_OBJ_10.4.4.192_26 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp

Amend your existing default NAT rule and move to the end, to ensure this rule is not unintentially matched.

 

object network Kit
 no nat (any,Comcast) dynamic interface
 nat (any,Comcast) after-auto dynamic interface

 HTH

Georg Pauwen
VIP
VIP
In response to Rob Ingram

‎07-10-2020 12:51 AM

Hello,

 

I think the current NAT exemption uses the wrong object (network mask of /26), while the actual real subnet has a /24 mask. Get rid of:

 

nat (NYC_Internal,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.192_26 NETWORK_OBJ_10.4.4.192_26 no-proxy-arp route-lookup

 

and use:

 

nat (NYC_Internal,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup

Rob Ingram
VIP
VIP
In response to Georg Pauwen

‎07-10-2020 02:09 AM

Anyconnect traffic will be sourced from the outside interface (Comcast) not the inside interface (NYC_Internal).

Georg Pauwen
VIP
VIP
In response to Rob Ingram

‎07-10-2020 02:23 AM

Good point. I originally used the 'any' as source. I wonder if the below then works...

 

nat (any,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup

Wan_Whisperer
Level 1
Level 1
In response to Georg Pauwen

‎07-10-2020 09:25 AM

Thanks for everyone help.  I had to move the nat (any,Comcast)....... to the top.  A different NAT was catching it.

 

 

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to Wan_Whisperer

‎07-10-2020 09:27 AM

Hello,

 

can you post the final, working config for reference ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card