cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
776
Views
0
Helpful
9
Replies

Anyconnect VPN Unable to Access Remote Networks

tyler.newton
Level 1
Level 1

I have a network environment consisting of 8 Cisco ASA5506 appliances.  The main office serves as the hub, and the 7 satellite offices are connected to this main office by site-to-site IPSec tunnels. The main office provides all Active Directory, file, and print services to the network, so all of the client server infrastructure is at the main office.

 

We use Anyconnect for remote workers to connect to the main office for access to file shares and other network resources.  This VPN access has been performing flawlessly, with users accessing network resources at the main office and with split-tunneling configured also have Internet access during VPN sessions.

 

A recent change is requiring some Anyconnect users to access resources now located at one of the satellite offices.  This was not previously a requirement or ever tested, so I believe the function/capability was never working for Anyconnect users; and when Anyconnect users are connected to the VPN, they are unable to PING IP/name or map to resources at the satellite offices.  However, users physically at the main office are able to access resources at any of the satellite offices without issue.

 

Main office subnet = 192.168.10.0/24

Anyconnect IP Assignments = group of IP's assigned by the ASA at connect, 192.168.10.200 - 210

Satellite Offices = 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, etc...

 

Since the Anyconnect client is receiving an IP that matches the main office subnet, I'm not seeing how these vpn clients are prohibited or restricted from accessing satellite (remote) office resources.  I am happy to provide further information or details as needed.

9 Replies 9

Hi,
If I understand your scenario correctly, you are routing the AC VPN traffic back out the same interface over a Site to Site VPN?
In which case do you have "same-security-traffic permit intra-interface" command configured?

HTH

I believe your statement "AC VPN traffic back out the same interface over a Site to Site VPN" is true, and I have not applied any additional commands beyond the setups of the IPSec tunnels and Anyconnect profile. 

 

Would I run the "same-security-traffic permit intra-interface" command from the CLI in ASDM?  I searched the running config, but don't see the "intra-interface" defined.

You can enter that command on the CLI. It basically allow traffic to hairpin - route out the same interface traffic entered from.

HTH

would it not need a command same-security-traffic permit inter-interface as other command is for anyconnect

please do not forget to rate.

"Inter" is between two different interfaces with same security level.
"Intra" is used during hairpining, traffic routed back through the outside interface.

 

Reference here

Quote - "One thing he mentioned and I forgot is the same-security-traffic permit intra-interface to allow U-turn."

cheers appreciated

please do not forget to rate.

I ran the recommended command from CLI, but still no luck.  Attached is the running config that shows the config is now included. 

f you have anyconnect client than and you running this command

 

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup

 

!

i am curious could we use any here instead of inside and to test it

 

 

nat (any,outside) source static any any destin static NETWORK_OB_192.168.108_24  NETWORK_OB_192.168.108_24  no-proxy -arp route-lookup     |where 192.168.108/24 is my anyconnect pool.

 

 

 

nat (any,outside) source static any any destin static XXXX XXXX no-proxy -arp route-lookup

please do not forget to rate.

My Client Address Pool is labeled VPN_Pool, so would I use the following syntax for the command:

 

nat (any,outside) source static any any destin static VPN_Pool VPN_Pool no-proxy -arp route-lookup

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: