07-09-2020 01:44 PM
I have a home office where a user on IP address 10.4.4.0/24. This user accesses private IPs at a remote site over a Site to Site VPN.
now for the issue:
A user at home connected to the home office Via AnyConnect on an IP address of 10.4.4.0/24 can not access any of the IP addresses at the remote site.
The home office VPN is on the ASA and Site 2's VPN endpoint is on an IOS device. I tried to use packet capture on the ASA but nothing shows up on the exit interface, I do see why it would not show up because it tunneled. How can monitor traffic going through the VPN? I put an ACL on two different interfaces; one interface is the one that has the crypto map on it the other interface leads to the core device. I do not see any packets with a source or destination IP that I am trying to reach. What is happening?
I need the AnyConnect users to be able to connect to the home office but also access our other sites IPs.
Please be detailed so I can learn from this.
07-09-2020 02:09 PM
07-09-2020 02:36 PM
Thanks for the replay. I added the command < same-security-traffic permit intra-interface > Its still not working. If I trace to an internal IP at the remote site the first IP I see is the outside interface. This makes me think its not going through the Site to Site VPN.
Could there be an issue with the order of operation? ie....the AnyConnect user is not hitting the Crypto map for the VPN?
Thanks
07-09-2020 02:44 PM
07-09-2020 03:18 PM
Run packet-tracer and provide the output. E.g - "packet-tracer input Fios icmp 10.4.4.x 8 0 REMOTE-IP"
Result of the command: "packet-tracer input Comcast icmp 10.4.4.60 8 0 8 172.21.1.1"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:
Dynamic translate 10.4.4.60/8 to X.X.X.210/8
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 188619647, packet dispatched to next module
Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast
Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 82b2.341c.c1f2 hits 2978 reference 1295
Result:
input-interface: Comcast
input-status: up
input-line-status: up
output-interface: Comcast
output-status: up
output-line-status: up
Action: allow
--------------------------------------------------------------------------------------
Result of the command: "packet-tracer input Comcast icmp 10.4.4.60 8 0 8 172.21.1.1"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:
Dynamic translate 10.4.4.60/8 to X.X.X.210/8
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,Comcast) source dynamic Internal interface
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 188619647, packet dispatched to next module
Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.X.X.214 using egress ifc Comcast
Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 82b2.341c.c1f2 hits 2978 reference 1295
Result:
input-interface: Comcast
input-status: up
input-line-status: up
output-interface: Comcast
output-status: up
output-line-status: up
Action: allow
Result of the command: "show crypto ipsec sa"
interface: Comcast
Crypto map tag: Comcast_map, seq num: 1, local addr: X.X.X.210
access-list Comcast_cryptomap extended permit ip 10.4.4.0 255.255.255.0 68.X.X.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (68.X.X.0/255.255.255.0/0/0)
current_peer: 68.X.X.1
#pkts encaps: 38681, #pkts encrypt: 38682, #pkts digest: 38682
#pkts decaps: 38423, #pkts decrypt: 38423, #pkts verify: 38423
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 38681, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 4
#PMTUs sent: 1, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: X.X.X.210/0, remote crypto endpt.: 68.X.X.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: EA0A246D
current inbound spi : 57AA85E5
inbound esp sas:
spi: 0x57AA85E5 (1470793189)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4373979/1354)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x0000003F 0xFFFFFFFF
outbound esp sas:
spi: 0xEA0A246D (3926533229)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4373982/1354)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Comcast_map, seq num: 1, local addr: X.X.X.210
access-list Comcast_cryptomap extended permit ip 10.4.4.0 255.255.255.0 172.21.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.2.0/255.255.255.0/0/0)
current_peer: 68.X.X.1
#pkts encaps: 3881485, #pkts encrypt: 3881485, #pkts digest: 3881485
#pkts decaps: 2433312, #pkts decrypt: 2433312, #pkts verify: 2433312
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3881485, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: X.X.X.210/0, remote crypto endpt.: 68.X.X.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0D13A20E
current inbound spi : 93330341
inbound esp sas:
spi: 0x93330341 (2469593921)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4370760/1286)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0D13A20E (219390478)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1149, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4372653/1286)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Comcast_map, seq num: 2, local addr: X.X.X.210
access-list Comcast_cryptomap_2 extended permit ip 10.4.4.0 255.255.255.0 172.21.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.1.0/255.255.255.0/0/0)
current_peer: X.X.X.X.57
#pkts encaps: 11548900, #pkts encrypt: 11548909, #pkts digest: 11548909
#pkts decaps: 16682529, #pkts decrypt: 16682529, #pkts verify: 16682529
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11548900, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 9, #pre-frag failures: 0, #fragments created: 18
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: X.X.X.210/0, remote crypto endpt.: X.X.X.X.57/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C5F23553
current inbound spi : 03AA2719
inbound esp sas:
spi: 0x03AA2719 (61482777)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1134, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4063898/6330)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC5F23553 (3320984915)
SA State: active
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1134, crypto-map: Comcast_map
sa timing: remaining key lifetime (kB/sec): (4270796/6330)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
07-09-2020 03:11 PM
Hello,
it looks like you are missing the NAT exemption. Try and add the below to your configuration:
nat (any,FiOS) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup
07-09-2020 04:39 PM
I should have mentioned that I now Using the Comcast interface. I added the NAT statement just like you requested but using the Comcast interface.
Result is the same. All data going through the AnyConnect VPN is exiting out of the Comcast interface and not the tunnel :(
Any more ideals?
07-09-2020 05:20 PM
07-09-2020 11:16 PM - edited 07-10-2020 12:19 AM
NAT Exemption rule - Duplicate for other destination networks (the VPN sites):-
nat (Comcast,Comcast) source static NETWORK_OBJ_10.4.4.192_26 NETWORK_OBJ_10.4.4.192_26 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp
Amend your existing default NAT rule and move to the end, to ensure this rule is not unintentially matched.
object network Kit
no nat (any,Comcast) dynamic interface
nat (any,Comcast) after-auto dynamic interface
HTH
07-10-2020 12:51 AM
Hello,
I think the current NAT exemption uses the wrong object (network mask of /26), while the actual real subnet has a /24 mask. Get rid of:
nat (NYC_Internal,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.192_26 NETWORK_OBJ_10.4.4.192_26 no-proxy-arp route-lookup
and use:
nat (NYC_Internal,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup
07-10-2020 02:09 AM
07-10-2020 02:23 AM
Good point. I originally used the 'any' as source. I wonder if the below then works...
nat (any,Comcast) source static any any destination static NETWORK_OBJ_10.4.4.0_24 NETWORK_OBJ_10.4.4.0_24 no-proxy-arp route-lookup
07-10-2020 09:25 AM
Thanks for everyone help. I had to move the nat (any,Comcast)....... to the top. A different NAT was catching it.
07-10-2020 09:27 AM
Hello,
can you post the final, working config for reference ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide