Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
8
Replies

anyconnect problem

Go to solution
Ramirov
Level 1
Level 1

‎03-08-2018 07:29 PM - edited ‎03-12-2019 05:05 AM

Hello everybody,

I have a follow problem ,  I have an ASA with public IP where I run anyconnect , it working fine ,, but the problem is that my ISP say me that they are seeing my IP PRIVATES in the range public that they give me .

and the ip privates are of my VPN'pools ,. 

Do you have any idea why my ISP see my IP privates ? there is any problem with the anyconnect config??

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to Ramirov

‎03-12-2018 10:02 AM

In this case check your natting. Clearly you aren't natting the source IP
which is your VPN pool when the traffic is going from AnyConnect to
internet.

You need a nat rule to nat outside,outside. Something like this

nat (outside,outside) source dynamic object_group_vpn_pool interface
no-proxy

or

object network vpn_pool
subnet x.x.x.x x.x.x.x
nat (outside,outside) dynamic interface no-proxy

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎03-12-2018 02:38 AM - edited ‎03-21-2018 08:41 AM

 
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Ramirov
Level 1
Level 1
In response to Deepak Kumar

‎03-12-2018 09:24 AM

Why routing ??

and not natting?

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to Ramirov

‎03-12-2018 09:26 AM

Hi, 

I am not denying to say that there will no issue with NAT but it could be a reason for routing also. That's why I was asked for configuration.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎03-12-2018 08:32 AM

Most likely your internet traffic (or part of it for example dns) is going
over anyconnect tunnel and you aren't natting vpn traffic to go over
internet.

Is it intentional to send internet over anyconnect. If not check your split
acl. Otherwise if you want internet over anyconnect then check your natting
0 Helpful

Go to solution
Ramirov
Level 1
Level 1
In response to Mohammed al Baqari

‎03-12-2018 09:22 AM

Yes, all traffic going over anyconnect , I have a lot of rules of NoNat , maybe some rule is missing , what do you think?

 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to Ramirov

‎03-12-2018 10:02 AM

In this case check your natting. Clearly you aren't natting the source IP
which is your VPN pool when the traffic is going from AnyConnect to
internet.

You need a nat rule to nat outside,outside. Something like this

nat (outside,outside) source dynamic object_group_vpn_pool interface
no-proxy

or

object network vpn_pool
subnet x.x.x.x x.x.x.x
nat (outside,outside) dynamic interface no-proxy
0 Helpful

Go to solution
Ramirov
Level 1
Level 1
In response to Mohammed al Baqari

‎03-12-2018 11:16 AM

But I have a proxy , and send the parameters of proxy via VPN in group
policy , so then we have a nat rule (DMZ,OUTSIDE)
0 Helpful

Go to solution
Ramirov
Level 1
Level 1
In response to Ramirov

‎03-21-2018 08:39 AM

Hello I think I have a problem with no-proxy-arp  because the ISP see my ip private addresses (of VPN's pools) with the mac of my FW , I applied no-proxy-arp in all nat rules but the problem persist.

0 Helpful
Customers Also Viewed These Support Documents