cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

New Hall of Fame Member-Peter PAluch

162
Views
5
Helpful
4
Replies
Beginner

AnyConnect VPN users cannot access some internal addresses after adding PAT statement

Company name: ABC123
IP addresses = Not real

 

This is for a ASA firewall at our branch location. They primarily used 10.x addresses internally and also for AnyConnect VPN clients.
The other ABC123 offices use 100.x addressing for internal use.
Due to recent network changes, new 100.x subnets have been added to this branch location.
The 100.x was not able to browse Internet since there was no PAT statement in the ASA.
So I added this statement:

object network hundred-Net
subnet 100.0.0.0 255.0.0.0
nat (INSIDE,OUTSIDE) dynamic interface

After that 100.x servers were able to access Internet but I later found out that 10.x AnyConnect users are not able to access the internal websites at other locations that are 100.x.
I removed the previous change and now AC users are good but the old issue is back.

Later I have added specific PAT statements with only the 100.x nets that are part of this office:

object network branch_100.190.0.0_15
subnet 100.190.0.0 255.254.0.0
nat (INSIDE,OUTSIDE) dynamic interface

object network branch_100.196.0.0_14
subnet 100.196.0.0 255.252.0.0
nat (INSIDE,OUTSIDE) dynamic interface

This does not break anything.
I would like to know why the initial change breaks the VPN user access to 100.x addresses.

Everyone's tags (1)
4 REPLIES
Highlighted
Hall of Fame Master

Re: AnyConnect VPN users cannot access some internal addresses after adding PAT statement

Normally we would expect the remote access VPN users' access to non-local sites to be covered by a "nat (outside,outside)" type statement. So it is indeed a bit surprising that the 100/8 being used for a "nat (inside,outside)" statement broke their access.

 

If could be an interaction with the routing on the ASA. If you had a "route-lookup" statement at the end of the NAT statement that is used by the AnyConnect users that might fix the original issue.

Beginner

Re: AnyConnect VPN users cannot access some internal addresses after adding PAT statement

Thank you for the reply.

 

I have a case opened with Cisco support but no replies so far.

Question: I was reading somewhere that it is not recommended to have the AnyConnect users DHCP range same as internal IP range. In my case the DHCP range for the AC users is: 10.44.0.0/23 and the internal network as defined on the ASA is 10.44.0.0/16. Not sure why this can cause an issue with access to 100.x addresses?

Contributor

Re: AnyConnect VPN users cannot access some internal addresses after adding PAT statement

Hi. i guess its not a best practice to use internal subnet for anyconnect. but there is no harm to use if its a requirement where the company does not want to add another subnet into a production network.

 

found a good link might it help you to better understand what you gone through.

 

https://www.dentonsolutions.com/2018/06/06/cisco-anyconnect-vpn-clients-sharing-lan-ip-address-pool/

 

 

Beginner

Re: AnyConnect VPN users cannot access some internal addresses after adding PAT statement

Thank you for the replies, this issue is now resolved.

 

The return traffic was not routed properly. So we end up adding a no-nat statement, saying do not translate the VPN clients for the 100.xx addresses.

 

 

CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019