Experts,
I am looking for some assistance with configuring/troubleshooting IOS to do AnyConnect remote access, allowing remote users to access local resources, as well as traverse other L2L tunnels on the 1921.
What is not working:
I am not able to get remote users connected to the hub 1921 via AnyConnect to be able to access internal resources, or resources over a L2L tunnel to an ASA5520.
What is working:
- Internal hosts on the 1921 can access internet hosts, and hosts on the other end of the L2L tunnel with an ASA5520. From what I can tell, the L2L tunnel with the ASA is fine.
- Remote access hosts can ping/access the 1921 (loopback interface).
What I believe is correct:
- I believe crypto-map ACLs and NAT statements are correct on both sides. (Also, internal hosts on the 1921 can access resources over the tunnel)
Possible issues:
- Zone based firewall not configured correctly?
- Do remote hosts (172.20.52.0/29) need a zone pair from outside to inside?
- How would you mark the other policy based tunnels as inside if so?
- What debug command would show me if firewall rules are blocking 172.20.52.0/29 hosts from going to 172.20.48.0/24 or 192.168.0.0/24 hosts?
- Do remote hosts (172.20.52.0/29) need a zone pair from outside to inside?
- Webvpn context missing something?
- I've tried adding an ACL here like some examples have shown, it didn't work.
- Virtual Interface config?
- I'm not very familiar with the 'interface virtual-template' config the cisco guides dictated
- I added it as an inside zone member trying to troubleshoot firewall issues.
I can't find anymore configuration examples to follow for this.
This was the guide I used to get this partially setup: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html#anc13
Lastly, this router is a hub for other ASAs to dynamically connect to. Since the ASA5500 series doesn't do VTIs, I had to create a policy based dynamic map on this 1921 to avoid creating a bunch of individual L2Ls. It works, I've already tested that a 5505 could connect and traffic flowed. I kept the ASA5520 being used for this testing static for more clarity.
Can anyone offer more guidance?
Our topology:
Spoiler
Topology
Topology
Config:
Spoiler
Cisco 2941 HUB Router
Current configuration : 21224 bytes
!
! Last configuration change at 10:03:23 EDT Fri May 10 2019 by [REDACTED]
!
version 15.7
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname [REDACTED]
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.157-3.M3.bin
boot system flash:c1900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
!
!
logging buffered 4096
enable secret 5 [REDACTED]
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_access local
aaa authentication login AAA_ANYCONNECT local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
!
!
!
!
ip dhcp pool DHCP-POOL_INTERNAL
network 172.20.48.0 255.255.255.0
domain-name [REDACTED]
default-router 172.20.48.254
dns-server 192.168.0.1 172.20.0.6 8.8.8.8
!
!
!
no ip bootp server
ip domain lookup source-interface GigabitEthernet0/0
ip domain name [REDACTED]
ip name-server 192.168.0.1
ip name-server 192.168.0.2
ip name-server 172.20.0.6
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint selfsigned
enrollment selfsigned
revocation-check crl
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint [REDACTED]
enrollment terminal
usage ike
usage ssl-server
usage ssl-client
fqdn [REDACTED]
subject-name [REDACTED]
revocation-check crl
!
!
crypto pki certificate chain selfsigned
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain [REDACTED]
certificate [REDACTED]
quit
certificate ca [REDACTED]
quit
license udi pid CISCO1921/K9 sn [REDACTED]
!
!
!
redundancy
!
crypto ikev2 proposal IKEV2-PROPOSAL_1
encryption aes-cbc-256
integrity sha512
group 24
crypto ikev2 proposal IKEV2-PROPOSAL_2
encryption aes-cbc-256
integrity sha256
group 24
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL_1
proposal IKEV2-PROPOSAL_2
!
!
crypto ikev2 profile IKEV2-PROFILE_S2S_ASA5520
match identity remote address [REDACTED]
identity local key-id ASA5520
authentication remote pre-share key [REDACTED]
authentication local pre-share key [REDACTED]
!
crypto ikev2 profile IKEV2-PROFILE_S2S_DYNAMIC
description ** Allows dynamic tunnels **
match identity remote any
authentication remote pre-share key [REDACTED]
authentication local pre-share key [REDACTED]
!
no crypto ikev2 http-url cert
!
!
!
class-map match-any CM_VOICE
match ip dscp ef
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-all CLASSMAP_INSPECTION-VPN-IN
match access-group name ACL_VPN-IN
class-map type inspect match-any CLASSMAP_INSPECTION-OUTBOUND
match protocol tcp
match protocol udp
match protocol icmp
match protocol dns
match protocol http
match protocol https
!
policy-map type inspect POLICYMAP_INSPECTION-OUTBOUND
class type inspect CLASSMAP_INSPECTION-OUTBOUND
inspect
class class-default
drop log
policy-map PM_QOS
class CM_VOICE
priority
class class-default
fair-queue
policy-map PM_OUTSIDE_OUTBOUND
class class-default
shape average 12000000
service-policy PM_QOS
policy-map type inspect POLICYMAP_INSPECTION-VPN-IN
class type inspect CLASSMAP_INSPECTION-VPN-IN
inspect
class class-default
drop
!
zone security INTERNET
zone security INSIDE
zone-pair security ZP_INSIDE-to-OUTSIDE source INSIDE destination INTERNET
service-policy type inspect POLICYMAP_INSPECTION-OUTBOUND
zone-pair security ZP_OUTSIDE-to-INSIDE source INTERNET destination INSIDE
!
!
crypto vpn anyconnect usbflash0:/webvpn/anyconnect-win-4.4.00243-webdeploy-k9.pkg sequence 1
!
crypto isakmp policy 1
!
crypto isakmp policy 2
encr aes 256
hash sha256
group 2
!
!
crypto ipsec transform-set TRANSFORMSET-IPSEC_S2S-ASA esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRANSFORMSET-IPSEC_S2S-DYNAMIC esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map CRYPTOMAP-DYNAMIC_S2S-DYNAMIC 1
description ** DYNAMIC TUNNELS **
set transform-set TRANSFORMSET-IPSEC_S2S-DYNAMIC
set pfs group24
set ikev2-profile IKEV2-PROFILE_S2S_DYNAMIC
!
!
crypto map CRYPTOMAP_OUTSITE 1 ipsec-isakmp
set peer [REDACTED]
set transform-set TRANSFORMSET-IPSEC_S2S-ASA
set pfs group24
set ikev2-profile IKEV2-PROFILE_S2S_ASA5520
match address ACL_CRYPTOMAP-S2S-ASA
crypto map CRYPTOMAP_OUTSITE 65001 ipsec-isakmp dynamic CRYPTOMAP-DYNAMIC_S2S-DYNAMIC
!
!
!
!
!
interface Loopback0
ip address 172.20.55.254 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description **Inside Interface**
mtu 1400
ip address 172.20.48.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ** OUTSIDE INTERNET **
ip address dhcp
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
duplex auto
speed auto
no cdp enable
crypto map CRYPTOMAP_OUTSITE
!
interface Virtual-Template1
ip unnumbered Loopback0
zone-member security INSIDE
!
ip local pool ADDRESSPOOL_ANYCONNECT 172.20.52.1 172.20.52.6
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http access-class 23
ip http authentication local
ip http secure-server
ip http secure-trustpoint [REDACTED]
!
ip tftp source-interface Loopback0
ip nat inside source route-map ROUTEMAP_NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip ssh source-interface GigabitEthernet0/0
ip ssh version 2
ip scp server enable
!
ip access-list standard ACL_ANYCONNECT-SPLITTUNNEL
permit 172.20.0.0 0.0.63.255
permit 10.1.0.0 0.0.7.255
permit 192.168.0.0 0.0.7.255
!
ip access-list extended ACL_CRYPTOMAP-S2S-ASA
permit ip 172.20.48.0 0.0.7.255 192.168.0.0 0.0.7.255
permit ip 172.20.48.0 0.0.7.255 10.1.0.0 0.0.7.255
permit ip 172.20.48.0 0.0.7.255 172.20.32.0 0.0.7.255
ip access-list extended ACL_NAT
deny ip 172.20.48.0 0.0.7.255 172.20.0.0 0.0.63.255
deny ip 172.20.48.0 0.0.7.255 192.168.0.0 0.0.7.255
deny ip 172.20.48.0 0.0.7.255 10.1.0.0 0.0.7.255
permit ip 172.20.48.0 0.0.0.255 any
ip access-list extended ACL_VPN-IN
permit esp any any
permit udp any any eq isakmp
!
!
route-map ROUTEMAP_NAT permit 10
match ip address ACL_NAT
match interface GigabitEthernet0/1
!
!
access-list 23 permit 172.20.0.0 0.0.63.255
access-list 23 permit 192.168.0.0 0.0.7.255
access-list 23 permit 10.1.0.0 0.0.7.255
!
!
!
control-plane
!
!
vstack
!
line con 0
session-timeout 60
exec-timeout 60 0
session-disconnect-warning 300
logging synchronous
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
session-timeout 60
access-class 23 in
exec-timeout 60 0
privilege level 15
session-disconnect-warning 300
logging synchronous
login authentication local_access
transport input telnet ssh
line vty 5 15
session-timeout 60
session-disconnect-warning 300
logging synchronous
transport input none
!
scheduler allocate 20000 1000
ntp server 192.168.3.5 source GigabitEthernet0/0
!
!
webvpn gateway WEBVPN-GATEWAY_ANYCONNECT
ip interface GigabitEthernet0/1 port 1025
ssl trustpoint [REDACTED]
inservice
dtls port 1025
!
webvpn context WEBVPN-CONTEXT_ANYCONNECT
aaa authentication list AAA_ANYCONNECT
gateway WEBVPN-GATEWAY_ANYCONNECT
!
ssl authenticate verify all
inservice
!
policy group GROUPPOLICY_ANYCONNECT-SPLIT
functions svc-enabled
svc address-pool "ADDRESSPOOL_ANYCONNECT" netmask 255.255.255.248
svc keep-client-installed
svc split include acl ACL_ANYCONNECT-SPLITTUNNEL
svc dns-server primary 192.168.0.1
svc dns-server secondary 192.168.0.2
!
policy group GROUPPOLICY-ANYCONNECT-FULL
functions svc-enabled
svc address-pool "ADDRESSPOOL_ANYCONNECT" netmask 255.255.255.248
svc dns-server primary 192.168.0.1
svc dns-server secondary 192.168.0.2
default-group-policy GROUPPOLICY_ANYCONNECT-SPLIT
!
end
1 Accepted Solution
Accepted Solutions
@Georg Pauwen wrote:...To be on the safe side, and to avoid making mistakes with access lists, I would always use an IP address range that is completely different from the local LAN (your NAT inside)...
I think that was the key. I didn't change the subnet I was using, but I changed the NAT ACL based on what you said about not overlapping:
ip access-list extended ACL_NAT deny ip 172.20.48.0 0.0.3.255 172.20.55.0 0.0.0.7 (added for AnyConnect) deny ip 172.20.48.0 0.0.7.255 172.20.0.0 0.0.63.255 (Sites 1-4 including this one) deny ip 172.20.48.0 0.0.7.255 192.168.0.0 0.0.7.255 (5th site) deny ip 172.20.48.0 0.0.7.255 10.1.0.0 0.0.7.255 (6th site) permit ip 172.20.48.0 0.0.0.255 any
(The remote subnet doesn't actually overlap the local LAN, local LAN is a /24 and remote is a /29 in two different subnets, but do the site to site tunnels using blocks /21 so one statement covers all the subnets at that site)
Results from remote AnyConnect client on 172.20.52.0/29:
Hitting other sites while remoted in using AnyConnect 172.20.52.2 going to:
