Solved: Yay! A bit of a battle but - Page 2

Hugo Rosado · ‎01-04-2016

Hi Guys,

I have implemented Cisco AnyConnect on our ASA, all goes good untill I have notices that while connected to the VPN I had no access to the internal LAN, after some reading on Cisco website i have changed the DfltGrppolicy to restrict access to only 1 vlan (Vlan 10) since this it has all gone downhill, at the moment no matter what NAT rulles I do I seem to only have access to Vlan 10, no access to any other Vlans or the Internet while connected to the VPN.

Can anyone help?

Thanks in advance

Hugo Rosado · ‎01-06-2016

Hi,

I did remove that, but still the same problem: Cannot access the internet, this is driving me mad :(

Thanks for all your help and time spent on this

Regards

Hr

Philip D'Ath · ‎01-06-2016

Can you post up a fresh copy of the config again please. I need to go through the NAT configuration more closely.

Hugo Rosado · ‎01-06-2016

HI,

I have created a new GroupPolicy so I could work out beteween the 2 Policies if I could make things work, this new policy also has a different pool of addresses on the 10.10.10.x range but please ignore that, I want to go ahead with the previous pool 172.16.10.x

Many thanks, really appretiated.

Hr

Philip D'Ath · ‎01-06-2016

Lets try removing:

nat (any,VodafoneTrunk) source static any any destination static Obj_AnyConnectPool Obj_AnyConnectPool no-proxy-arp

And adding these two instead:

nat (VoipIt_Production,VodafoneTrunk) source static any any destination static Obj_AnyConnectPool Obj_AnyConnectPool no-proxy-arp

nat (Voipit_Telephony,VodafoneTrunk) source static any any destination static Obj_AnyConnectPool Obj_AnyConnectPool no-proxy-arp

Hugo Rosado · ‎01-06-2016

That actually did the trick for the Internet and I am getting the correct external IP but now I have lost access to both Vlan 10 and vlan 20 and both those NAT rullez had no hits, should I put them higher in the Nat table? This was taken after the VPN was connected:

8 (VoipIt_Production) to (VodafoneTrunk) source static any any destination static Obj_AnyConnectPool Obj_AnyConnectPool no-proxy-arp

translate_hits = 0, untranslate_hits = 0

Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0

Destination - Origin: 172.16.10.0/24, Translated: 172.16.10.0/24

9 (Voipit_Telephony) to (VodafoneTrunk) source static any any destination static Obj_AnyConnectPool Obj_AnyConnectPool no-proxy-arp

translate_hits = 0, untranslate_hits = 0

Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0

Destination - Origin: 172.16.10.0/24, Translated: 172.16.10.0/24

Many thanks

Hr

Philip D'Ath · ‎01-06-2016

This is a bit tricky doing it remotely like this.

Basically in the GUI, you want a NAT emption for traffic going to and from:

VoipIt_Production <-> VodafoneTrunk

Voipit_Telephony <-> VodafoneTrunk

for the AnyConnect IP address range ("Obj_AnyConnectPool"). This is the bit not working, but the config is quite close.

And you need a NAT rule to say to NAT traffic from Obj_AnyConnectPool that is going from VodafoneTrunk to VodafoneTrunk. This bit is working.

Hugo Rosado · ‎01-06-2016

I will definitely do this tomorrow morning, first thing so I can concentrate in what Im doing, will let you know, you are a legend.

Many thanks for all your help with this.

Hr

Hugo Rosado · ‎01-07-2016

All working, I cannot say thank you enough, you have been a big big help, many thanks.

If you ever around Portugal let me know, I would be more than happy to show you around.

Regards

Hugo Rosado

Philip D'Ath · ‎01-07-2016

Yay! A bit of a battle but we got there in the end.

Might take me a little bit of time to make it over to Portugal, but you are on.

Auckland, New Zealand

AnyConnect VPN LAN/Internet access