Solved: AnyConnect VPN LAN/Internet access

Hugo Rosado · ‎01-04-2016

Hi Guys,

I have implemented Cisco AnyConnect on our ASA, all goes good untill I have notices that while connected to the VPN I had no access to the internal LAN, after some reading on Cisco website i have changed the DfltGrppolicy to restrict access to only 1 vlan (Vlan 10) since this it has all gone downhill, at the moment no matter what NAT rulles I do I seem to only have access to Vlan 10, no access to any other Vlans or the Internet while connected to the VPN.

Can anyone help?

Thanks in advance

Philip D'Ath · ‎01-06-2016

This is a bit tricky doing it remotely like this.

Basically in the GUI, you want a NAT emption for traffic going to and from:

VoipIt_Production <-> VodafoneTrunk

Voipit_Telephony <-> VodafoneTrunk

for the AnyConnect IP address range ("Obj_AnyConnectPool"). This is the bit not working, but the config is quite close.

And you need a NAT rule to say to NAT traffic from Obj_AnyConnectPool that is going from VodafoneTrunk to VodafoneTrunk. This bit is working.

View solution in original post

Philip D'Ath · ‎01-04-2016

I see you have:

access-list Local_Lan_Connection standard permit host 0.0.0.0

....

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_Lan_Connection

What you probably want to do is to create an access list saying what users can access (usually whole networks at a time), and change to "include" rather than exclude, and use that.

Hugo Rosado · ‎01-04-2016

Hi P.Dath,

Thanks for you help, I have actually created an ACL to allow Vpn_Objects to allow any address outside to the internet, the message I am getting now is:

"Asymetric NAT rules matched for forward and reverse flows.........denied due to NAT reverse path failure"

I had a look and this is down to NAT going in loop, I have only one NAT rule at the moment and that's to allow VPN_users to access that specific VLan.

Confusing......

Philip D'Ath · ‎01-04-2016

Specifically, what should a user be able to get to and can not.

Hugo Rosado · ‎01-04-2016

When a user connects to anyconnect he should be able to access the internet through the VPN and also should be able to access vlan 10 (192.168.10.1/24) and Vlan 20 ( 192.168.20.1/24), at the moment, while connected to the VPN, I can only access Vlan 10, no internet neither vlan 20.

Thanks in advance

Philip D'Ath · ‎01-04-2016

Is the config attached to the first question still your current config or has it been changed some more?

Hugo Rosado · ‎01-04-2016

This is my current config

Philip D'Ath · ‎01-04-2016

Start by changing this access-list from:

access-list Local_Lan_Connection standard permit host 0.0.0.0

to:

access-list Local_Lan_Connection standard permit 192.168.10.0 255.255.255.0

access-list Local_Lan_Connection standard permit 192.168.20.0 255.255.255.0

Get rid of these two NATs:

nat (VodafoneTrunk,VodafoneTrunk) source static Obj_AnyConnectPool Obj_AnyConnectPool destination static Obj_AnyConnectPool
nat (VodafoneTrunk,VodafoneTrunk) source static Obj_AnyConnectPool Obj_AnyConnectPool destination static Obj_VPN_Production

Add this:

nat (any,VodafoneTrunk) source static any any destination static Obj_AnyConnectPool Obj_AnyConnectPool no-proxy-arp route-lookup

If this doesn't fix it please please a new updated config and any errors you are getting in the log. It will be close after this. Might need a couple of access-list entries to permit the traffic if not already permitted.

Hugo Rosado · ‎01-05-2016

Hi,

Thanks for your help on this.

I have applied all commands and now, while connected to the VPN, I can access Vlan 10 but cannot access Vlan 20, also I can ping by Ip address but not by name (example: I cannot ping bbd.co.uk but i can ping 8.8.8.8) , I think there might be a problem on the policy itself, Im not sure if this is right:

The bit that worries me is the "Restrict access to Vlan"

I have included a copy of the current version running on the ASA.

Again thank you for your help.

Regards

Philip D'Ath · ‎01-05-2016

Get rid of this:

split-tunnel-all-dns enable

Philip D'Ath · ‎01-05-2016

Aha! Remove that VLAN restriction.

group-policy DfltGrpPolicy attributes

no vlan 10

no split-tunnel-all-dns enable

Do you have any internal DNS servers?

Hugo Rosado · ‎01-06-2016

Ok, this is kinda working,while connected to the VPN I can access Vlan 10 and Vlan 20 I can also access the internet, the only issue with all this is that to go out on the internet I am using the IP I have on my current location, while connected to the VPN I need to have the external IP of my VPN server, I have tried Split-Tunnel but that crashes everything, I will rate all your answers.

Thanks in advance

Hr

Philip D'Ath · ‎01-06-2016

Aha, you didn't mention that requirement initially.

Make these changes:

group-policy DfltGrpPolicy attributes

no split-tunnel-network-list value Local_Lan_Connection

split-tunnel-policy tunnelall

Then we might need to make a little NAT change. Try that and if it doesn't work let me know, and the error you get in the log.

Hugo Rosado · ‎01-06-2016

Hi,

I have applied the commands recommended, I can access all LAN inside but it's the outside i am having problems with, this is a screenshot from any connect while connected:

All traffic is now being sent over the tunnel but cannot go outside on the internet, on the webpage it fails as Dns_Probe.

This are the logs of the traffic of a PC while connected to the VPN:

All attempts fail to go on the internet.

Packet tracer:

Also here is all the routes while connected to Anyconnect:

Again, Many thanks for all your help

Regards

Hr

Philip D'Ath · ‎01-06-2016

I think we should get rid of this NAT:

no nat (VodafoneTrunk,VodafoneTrunk) source static Obj_AnyConnectPool Obj_AnyConnectPool destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3

and replace it with:

nat (VodafoneTrunk,VodafoneTrunk) source dynamic any interface