Anyconnect connection: VPN connection is fine. Reaching a specific network is not accessible.

Supercell292929 · ‎05-11-2017

Hello,

I'm curious as to why I can reach our 10.0.0.0/8 network from the AnyConnect VPN pool 192.168.200.100-.200, but not our 172.16.250.0/24 network. The setup is identical on our 5555-X. Do I need a "route-lookup" statement on the (NO DICE) nat? (seen below) 172.16.250.0/24 is statically routed on our ASA.:

object network obj-192.168.200.0
subnet 192.168.200.0 255.255.255.0

####

ip local pool VPN-remote 192.168.200.100-192.168.200.200 mask 255.255.255.0

####

access-list VPNIT_splitTunnelAcl standard permit 172.16.250.0 255.255.255.0

nat (inside,any) source static obj-172.16.250.0 obj-172.16.250.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp

####

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.200.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any4 192.168.200.0 255.255.255.0
access-list cin extended permit ip host 192.168.200.100 host 10.100.10.10 (WORKS FINE)
access-list cin extended permit ip host 10.100.10.10 host 192.168.200.100 (WORKS FINE)
access-list cin extended permit ip host 192.168.200.100 host 172.16.250.5 (DOESN'T WORK)
access-list cin extended permit ip host 172.16.250.5 host 192.168.200.100 (DOESN'T WORK)
nat (any,outside) source static any any destination static obj-192.168.200.0 obj-192.168.200.0
nat (inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp (WORKS FINE)

nat (inside,any) source static obj-172.16.250.0 obj-172.16.250.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp (NO DICE)

####

C 172.16.250.0 255.255.255.0 is directly connected, management

S 172.16.0.0 255.255.0.0 [1/0] via 10.100.10.1, inside

#####

route inside 10.0.0.0 255.0.0.0 10.100.10.1 1

route inside 172.16.0.0 255.255.0.0 10.100.10.1 1

route management 10.100.0.0 255.255.0.0 172.16.250.1 1

#####

Anyconnect client is showing 172.16.250.0/24 within its secured routes (see attached).

Thank you in advance.

Georg Pauwen · ‎05-13-2017

Hello,

try to configure your split tunnel ACL like this:

access-list VPNIT_splitTunnelAcl standard permit any4

What does your group policy look like ? Can you post the full config ?

Supercell292929 · ‎05-14-2017

I removed the 3 ACL's seen below and replaced them with what you recommended: "access-list VPNIT_splitTunnelAcl standard permit any4." No sooner did I do this then my home connection to the internet dropped (the AnyConnect tunnel stayed up. I just couldn't get out to the internet from my PC [DNS servers were no where to be found]). I could not get to 172.16.250.0/24, but could still get to the only switch I could always get to: 10.20.6.1/24 via AnyConnect.

VPN-REMOTE (THE ONE I USE):

ip local pool VPN-remote 192.168.200.100-192.168.200.200 mask 255.255.255.0

#####

tunnel-group VPNIT type remote-access
tunnel-group VPNIT general-attributes
address-pool VPN-remote
authentication-server-group AAAServers
default-group-policy VPNIT
tunnel-group VPNIT

webvpn-attributes

group-alias VPNIT enable

tunnel-group VPNIT ipsec-attributes
ikev1 pre-shared-key *****

######

access-list VPNIT_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list VPNIT_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

access-list VPNIT_splitTunnelAcl standard permit 172.16.250.0 255.255.255.0

ADDING THESE THREE ACL'S (ABOVE) BACK AFTER REPLACING THEM WITH THE ACL YOU SUGGESTED BROUGHT MY HOME INTERNET BACK UP IMMEDIATELY.

######

group-policy VPNIT internal
group-policy VPNIT attributes
banner value WARNING! You are attempting to login to the XXXXXX. If you are not authorized, disconnect now! Violators will be prosecuted.
dns-server value 10.20.6.10 10.20.6.60
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNIT_splitTunnelAcl
default-domain value local.XXXXXXXX.org

ssh to a switch on our 172.16.250.0/24 = cannot connect and NO hit count (below). This is also what occurred when replacing these ACL's with the one you recommended (ASA(config)# no access-list VPNIT_splitTunnelAcl standard permit any4)

#####

ASA# sho access-list VPNIT_splitTunnelAcl
access-list VPNIT_splitTunnelAcl; 3 elements; name hash: 0x79907cff
access-list VPNIT_splitTunnelAcl line 1 standard permit 10.0.0.0 255.0.0.0 (hitcnt=0) 0x599a0572
access-list VPNIT_splitTunnelAcl line 2 standard permit 172.16.0.0 255.255.0.0 (hitcnt=0) 0x420bf8d2
access-list VPNIT_splitTunnelAcl line 3 standard permit 172.16.250.0 255.255.255.0 (hitcnt=0) 0x5c5248e8

#####

ASA# sho access-list VPNIT_splitTunnelAcl
access-list VPNIT_splitTunnelAcl; 1 elements; name hash: 0x79907cff
access-list VPNIT_splitTunnelAcl line 1 standard permit any4 (hitcnt=0) 0x7cd6f726

#####

ATTACHMENT: Shows what occurs on the AnyConnect client when I added the ACL you provided.

Georg Pauwen · ‎05-15-2017

Hello,

sorry for the misunderstanding, I thought your split tunnel access list contained just the one line you originally posted.

Either way, make sure you have the below configured:

access-list VPNIT_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list VPNIT_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

object network NETWORK_OBJ_192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network NETWORK_OBJ_172.16.0.0_16
subnet 172.16.0.0 255.255.0.0
ip local pool VPN-remote 192.168.200.100-192.168.200.200 mask 255.255.255.0

nat (inside, outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8
destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp
route-lookup
nat (inside, outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16
destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp
route-lookup

Supercell292929 · ‎05-30-2017

Thank you for your suggestions, however, it still does not work. Here is the entire layout of the AnyConnect VPN:

object network obj-192.168.200.0
subnet 192.168.200.0 255.255.255.0

object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0

object network obj-172.16.0.0
subnet 172.16.0.0 255.255.0.0

#########################

access-list VPNIT_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list VPNIT_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

#########################

nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup

#########################

group-policy VPNIT internal
group-policy VPNIT attributes
banner value WARNING! You are attempting to login to XXXXX. If you are not authorized, disconnect now! Violators will be prosecuted.
dns-server value 10.20.6.10 10.20.6.60
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNIT_splitTunnelAcl
default-domain value xxxx.xxxxxx.com

########################

tunnel-group VPNIT type remote-access
tunnel-group VPNIT general-attributes
address-pool VPN-remote
authentication-server-group AAAServers
default-group-policy VPNIT
tunnel-group VPNIT webvpn-attributes
group-alias VPNIT enable
tunnel-group VPNIT ipsec-attributes
ikev1 pre-shared-key *****

########################

route inside 10.0.0.0 255.0.0.0 10.100.10.1 1

route inside 172.16.0.0 255.255.0.0 10.100.10.1 1

I have a feeling it has something to do with this:

ON ASA ITSELF:

C 172.16.250.0 255.255.255.0 is directly connected, management