ā01-04-2016 03:17 AM - edited ā03-08-2019 03:16 AM
Hi Guys,
I have implemented Cisco AnyConnect on our ASA, all goes good untill I have notices that while connected to the VPN I had no access to the internal LAN, after some reading on Cisco website i have changed the DfltGrppolicy to restrict access to only 1 vlan (Vlan 10) since this it has all gone downhill, at the moment no matter what NAT rulles I do I seem to only have access to Vlan 10, no access to any other Vlans or the Internet while connected to the VPN.
Can anyone help?
Thanks in advance
Solved! Go to Solution.
ā01-06-2016 03:16 PM
This is a bit tricky doing it remotely like this.
Basically in the GUI, you want a NAT emption for traffic going to and from:
VoipIt_Production <-> VodafoneTrunk
Voipit_Telephony <-> VodafoneTrunk
for the AnyConnect IP address range ("Obj_AnyConnectPool"). This is the bit not working, but the config is quite close.
And you need a NAT rule to say to NAT traffic from Obj_AnyConnectPool that is going from VodafoneTrunk to VodafoneTrunk. This bit is working.
ā01-04-2016 05:21 AM
I see you have:
access-list Local_Lan_Connection standard permit host 0.0.0.0
....
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_Lan_Connection
What you probably want to do is to create an access list saying what users can access (usually whole networks at a time), and change to "include" rather than exclude, and use that.
ā01-04-2016 05:35 AM
Hi P.Dath,
Thanks for you help, I have actually created an ACL to allow Vpn_Objects to allow any address outside to the internet, the message I am getting now is:
"Asymetric NAT rules matched for forward and reverse flows.........denied due to NAT reverse path failure"
I had a look and this is down to NAT going in loop, I have only one NAT rule at the moment and that's to allow VPN_users to access that specific VLan.
Confusing......
ā01-04-2016 05:38 AM
Specifically, what should a user be able to get to and can not.
ā01-04-2016 05:54 AM
When a user connects to anyconnect he should be able to access the internet through the VPN and also should be able to access vlan 10 (192.168.10.1/24) and Vlan 20 ( 192.168.20.1/24), at the moment, while connected to the VPN, I can only access Vlan 10, no internet neither vlan 20.
Thanks in advance
ā01-04-2016 05:55 AM
Is the config attached to the first question still your current config or has it been changed some more?
ā01-04-2016 06:03 AM
ā01-04-2016 11:25 AM
Start by changing this access-list from:
access-list Local_Lan_Connection standard permit host 0.0.0.0
to:
access-list Local_Lan_Connection standard permit 192.168.10.0 255.255.255.0
access-list Local_Lan_Connection standard permit 192.168.20.0 255.255.255.0
Get rid of these two NATs:
nat (VodafoneTrunk,VodafoneTrunk) source static Obj_AnyConnectPool Obj_AnyConnectPool destination static Obj_AnyConnectPool
nat (VodafoneTrunk,VodafoneTrunk) source static Obj_AnyConnectPool Obj_AnyConnectPool destination static Obj_VPN_Production
Add this:
nat (any,VodafoneTrunk) source static any any destination static Obj_AnyConnectPool Obj_AnyConnectPool no-proxy-arp route-lookup
If this doesn't fix it please please a new updated config and any errors you are getting in the log. It will be close after this. Might need a couple of access-list entries to permit the traffic if not already permitted.
ā01-05-2016 04:01 AM
Hi,
Thanks for your help on this.
I have applied all commands and now, while connected to the VPN, I can access Vlan 10 but cannot access Vlan 20, also I can ping by Ip address but not by name (example: I cannot ping bbd.co.uk but i can ping 8.8.8.8) , I think there might be a problem on the policy itself, Im not sure if this is right:
The bit that worries me is the "Restrict access to Vlan"
I have included a copy of the current version running on the ASA.
Again thank you for your help.
Regards
ā01-05-2016 11:20 AM
Get rid of this:
split-tunnel-all-dns enable
ā01-05-2016 11:22 AM
Aha! Remove that VLAN restriction.
group-policy DfltGrpPolicy attributes
no vlan 10
no split-tunnel-all-dns enable
Do you have any internal DNS servers?
ā01-06-2016 04:54 AM
Ok, this is kinda working,while connected to the VPN I can access Vlan 10 and Vlan 20 I can also access the internet, the only issue with all this is that to go out on the internet I am using the IP I have on my current location, while connected to the VPN I need to have the external IP of my VPN server, I have tried Split-Tunnel but that crashes everything, I will rate all your answers.
Thanks in advance
Hr
ā01-06-2016 10:52 AM
Aha, you didn't mention that requirement initially.
Make these changes:
group-policy DfltGrpPolicy attributes
no split-tunnel-network-list value Local_Lan_Connection
split-tunnel-policy tunnelall
Then we might need to make a little NAT change. Try that and if it doesn't work let me know, and the error you get in the log.
ā01-06-2016 12:53 PM
Hi,
I have applied the commands recommended, I can access all LAN inside but it's the outside i am having problems with, this is a screenshot from any connect while connected:
All traffic is now being sent over the tunnel but cannot go outside on the internet, on the webpage it fails as Dns_Probe.
This are the logs of the traffic of a PC while connected to the VPN:
All attempts fail to go on the internet.
Packet tracer:
Also here is all the routes while connected to Anyconnect:
Again, Many thanks for all your help
Regards
Hr
ā01-06-2016 01:09 PM
I think we should get rid of this NAT:
no nat (VodafoneTrunk,VodafoneTrunk) source static Obj_AnyConnectPool Obj_AnyConnectPool destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3
and replace it with:
nat (VodafoneTrunk,VodafoneTrunk) source dynamic any interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide