cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
657
Views
5
Helpful
4
Replies

AnyConnect VPN users cannot access some internal addresses after adding PAT statement

MSS1
Level 1
Level 1

Company name: ABC123
IP addresses = Not real

 

This is for a ASA firewall at our branch location. They primarily used 10.x addresses internally and also for AnyConnect VPN clients.
The other ABC123 offices use 100.x addressing for internal use.
Due to recent network changes, new 100.x subnets have been added to this branch location.
The 100.x was not able to browse Internet since there was no PAT statement in the ASA.
So I added this statement:

object network hundred-Net
subnet 100.0.0.0 255.0.0.0
nat (INSIDE,OUTSIDE) dynamic interface

After that 100.x servers were able to access Internet but I later found out that 10.x AnyConnect users are not able to access the internal websites at other locations that are 100.x.
I removed the previous change and now AC users are good but the old issue is back.

Later I have added specific PAT statements with only the 100.x nets that are part of this office:

object network branch_100.190.0.0_15
subnet 100.190.0.0 255.254.0.0
nat (INSIDE,OUTSIDE) dynamic interface

object network branch_100.196.0.0_14
subnet 100.196.0.0 255.252.0.0
nat (INSIDE,OUTSIDE) dynamic interface

This does not break anything.
I would like to know why the initial change breaks the VPN user access to 100.x addresses.

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Normally we would expect the remote access VPN users' access to non-local sites to be covered by a "nat (outside,outside)" type statement. So it is indeed a bit surprising that the 100/8 being used for a "nat (inside,outside)" statement broke their access.

 

If could be an interaction with the routing on the ASA. If you had a "route-lookup" statement at the end of the NAT statement that is used by the AnyConnect users that might fix the original issue.

Thank you for the reply.

 

I have a case opened with Cisco support but no replies so far.

Question: I was reading somewhere that it is not recommended to have the AnyConnect users DHCP range same as internal IP range. In my case the DHCP range for the AC users is: 10.44.0.0/23 and the internal network as defined on the ASA is 10.44.0.0/16. Not sure why this can cause an issue with access to 100.x addresses?

Hi. i guess its not a best practice to use internal subnet for anyconnect. but there is no harm to use if its a requirement where the company does not want to add another subnet into a production network.

 

found a good link might it help you to better understand what you gone through.

 

https://www.dentonsolutions.com/2018/06/06/cisco-anyconnect-vpn-clients-sharing-lan-ip-address-pool/

 

 

please do not forget to rate.

MSS1
Level 1
Level 1

Thank you for the replies, this issue is now resolved.

 

The return traffic was not routed properly. So we end up adding a no-nat statement, saying do not translate the VPN clients for the 100.xx addresses.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: