Re: AnyConnect Client LAN overlaps with Protected Network

mumbles202 · ‎07-15-2019

Working on a situation where behind my ASA is a 10.0.0.0/24 network that also happens to be the LAN segment for a home user that needs to connect over vpn. They can connect w/o any issues, but when they do they lose access to their home printer which they do need access to while remote. Group policy is setup w/ tunnelspecified and the 2 subnets they need to connect to are listed. The ASA is used for multiple AnyConnect profiles so I didn't try using exclude and specifying 0.0.0.0. I thought of possibly setting up a NAT statement to transform the protect 10.0.0.0/24 to say 10.1.0.0/24 for any traffic from AnyConnect clients and then listing the 10.1.0.0/24 in the ACL. Is that the best approach to resolve?

Rahul Govindan · ‎07-16-2019

Are you advertising the /24 also through the split tunnel? Any chance you could make it a /8 or /16? This way a more generic route gets installed on the users routing table. Anything headed to the 10.0.0.0/24 would go to the users home network because of the more specific home network route.

If you truly have conflict between ip addresses in your network and the home user network (say both of you have 10.0.0.5), then the best possible solution is to have the user change his home network ip subnet. You could have the NAT workaround as mentioned in your post, but that affects everyone receiving the same vpn pool subnet.

shgrover · ‎07-16-2019

Hello

Please try the following workaround:-

Add the following line to your Split ACL

access-list <split -acl name> standard permit host 0.0.0.0

In the group-policy make sure your split-tunnel policy is set to "exclude specified"

split-tunnel-policy excludespecified
split-tunnel-network-list value <split -acl name>

If the split-tunnel policy is not excludeSpecified and is include specified, please modify the above ACE to a deny statement.

Let me know if that works for you.

Regards

Shikha Grover

mumbles202 · ‎07-16-2019

Modifying the configuration from a /24 to a /23 in the route advertisement from the ASA didn't fix it unfortunately.

Would using the 0.0.0.0 statement tunnel all traffic? ASA is protecting multiple networks, including the 10.0.0.0/24 and I want to make sure the client only has access to the 10.0.0.0/24 network and 1 other that they should have access to.

Would this what i need:

access-list Split_Tunnel_List standard permit 172.23.21.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.0.0.0 255.255.255.0
access-list Split_Tunnel_List standard deny host 0.0.0.0

or this:

access-list Split_Tunnel_List standard deny host 0.0.0.0

access-list Split_Tunnel_List standard permit 172.23.21.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.0.0.0 255.255.255.0

Group policy is include specified.

shgrover · ‎07-16-2019

Please do the following.

access-list Split_Tunnel_List standard deny host 0.0.0.0 - this line will match the User's LAN address availble and route them via the LAN network adapter and not via anyconnect adapter.

access-list Split_Tunnel_List standard permit 172.23.21.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.0.0.0 255.255.255.0

after you make chnages , please make sure your test user disconnects and connects again. The policies will we pushed only when they make a new connection.

Thank you.

Regards

Shikha Grover

Please rate the answers that are helpful.

mumbles202 · ‎07-17-2019

Thanks for the replay. Unfortunately, as soon as i configure the ACL like this:

access-list Split_Tunnel_List standard deny host 0.0.0.0

access-list Split_Tunnel_List standard permit 172.23.21.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.0.0.0 255.255.255.0

The client can longer connect. When you try to connect you get prompted and then the AnyConnect client quickly disconnects. As soon as i remove line 1 they're able to connect w/o any issues. ASA is 9.6.3 and client is 4.1 if that makes a difference.

shgrover · ‎07-17-2019

Please send me the tunnel group config/ group policy/ split-acl / Ip pool/ webvpn config .for this. I will try to recreate this.

if you have a xml file send me that too.

you could also collect a DART when this disconnect happens, it will help with finding the cause, start the DART and then try to connect and let it finish.

did this disconnect happen for all the machines or just this 1 user?

Regards

Shikha Grover

mumbles202 · ‎07-17-2019

I just tested with the one account I setup for testing which was a copy of the client. To test i had a constant ping going to a device on the local 10.0.0.0/24 network. When I tried to connect I would get General failure, then the vpn would disconnect and replies would return. Interestingly enough, the person who first reported the problem just confirmed that when I add this:

access-list Split_Tunnel_List standard deny host 0.0.0.0

to the end of the split tunnel ACL rather than the beginning they're able to connect and print w/o any issue (just discovered they're using the auto-created port after running the vendor printer setup wizard). My tests by pinging the device on my lan still fail when I test w/ a test user. I'll install DART and try to pull that for future reference.

shgrover · ‎07-18-2019

Hello

I am sorry for the confusion, it has to be added at the end of the ACL . if you add the deny statement at the beginning , it will block all traffic to the ASA.

Regards

Shikha Grover

*****Rate all helpful answers****