Solved: Traffic from AnyConnect client over S2S VPN

Mr.JoVen · ‎10-17-2018

Hello,

I sadly have an issue I hope you can assist me with:

Scenario:

User connect with split-tunnel to ASA5505. Client needs to access network that the ASA has a S2S VPN too.

The split-tunnel allows the subnet. The S2S VPN encryption matches the traffic from and to the networks.

The ASA can reach all networks.

VPN Client [10.255.255.100] ----> ASA ---> S2S-VPN ----> Cisco router ----> remote host 10.50.56.12

I've looked through the web and seen other related issues. But the resolution on these posts have I already done and checked.

ASA config:

ip local pool VPN-Client_IP-Pool 10.255.255.100-10.255.255.150 mask 255.255.255.0

!

object network SPAIN
subnet 10.50.56.0 255.255.255.0

!

object network VPN_Pool1
subnet 10.255.255.0 255.255.255.0

!

access-list AnyConnect-Default-ACL standard permit 10.50.56.0 255.255.255.0
access-list AnyConnect-Default-ACL standard permit 10.50.51.0 255.255.255.0
access-list AnyConnect-Default-ACL standard permit 10.50.48.0 255.255.255.0

!

nat (any,any) source static RFC1819 RFC1819 destination static RFC1819 RFC1819

!

route outside 0.0.0.0 0.0.0.0 116.246.2.125 1

!

tunnel-group AnyConnect-Default type remote-access
tunnel-group AnyConnect-Default general-attributes
address-pool VPN-Client_IP-Pool
authentication-server-group DKCPHAVN14

!

tunnel-group 195.53.84.20 general-attributes
default-group-policy GroupPolicy2
tunnel-group 195.53.84.20 ipsec-attributes
ikev1 pre-shared-key *****

!

group-policy AnyConnect-Default-Policy internal
group-policy AnyConnect-Default-Policy attributes
dns-server value 10.50.51.12
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AnyConnect-Default-ACL

Cisco Router (other end)

!

ip access-list extended *-SHANGHAI-ASA-L2L
permit ip 10.50.56.0 0.0.0.255 10.50.48.0 0.0.0.255
permit ip 10.50.56.0 0.0.0.255 10.255.255.0 0.0.0.255

!

S 10.50.48.0 [1/0] via 116.246.2.126
S 10.255.255.0 [1/0] via 116.246.2.126

Let me know if you need more information.

Really hope you can help

Mr.JoVen · ‎10-18-2018

I've found the issue.

On the Cisco router, there was an NAT ACL.
I had to put in a deny IP 10.50.56.0 0.0.0.255 10.255.255.0 0.0.0.255

Else the traffic would be NAT'et to another interface IP.

Thank you very much for the assistance in the troubleshooting.

View solution in original post

Rahul Govindan · ‎10-17-2018

I would suggest 2 changes:

1) Enable "same-security-traffic permit intra-interface"

2) Modify NAT statement as below:

"nat (any,any) source static RFC1819 RFC1819 destination static RFC1819 RFC1819 no-proxy-arp route lookup"

Mr.JoVen · ‎10-18-2018

Hello Rahul,

Thank you for your response.

The Enable "same-security-traffic permit intra-interface" have I already set

The nat (any,any) source static RFC1819 RFC1819 destination static RFC1819 RFC1819 no-proxy-arp route lookup" syntax is not possible on the ASA device. It's an ASA 5506W running 9.6(4)10.

Kind regards

Jonas

Rahul Govindan · ‎10-18-2018

Try adding another NAT rule above this specifically for this traffic:

nat (outside,outside) 1 source static VPN_Pool1 VPN_Pool1 destination static SPAIN SPAIN no-proxy-arp route lookup

Once you make the change, do a "show crypto ipsec sa detail" on the ASA to see if the SA is formed and if the traffic is being sent across the tunnel from the ASA.

Mr.JoVen · ‎10-18-2018

Hi Rahul,

I've added the new NAT-rule as requested:

This is the out-put from the show crypto:

Crypto map tag: outside_map1, seq num: 3, local addr: 116.246.2.126

access-list outside_cryptomap extended permit ip 10.255.255.0 255.255.255.0 10.50.56.0 255.255.255.0
local ident (addr/mask/prot/port): (10.255.255.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.50.56.0/255.255.255.0/0/0)
current_peer: 195.53.84.20

#pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 116.246.2.126/0, remote crypto endpt.: 195.53.84.20/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6BF67464
current inbound spi : 57F4F867

As far as I can tell, the traffic is encrypted over the S2S tunnel, but nothing "returns".

On the other side (Cisco Router) it, looks like this:

local ident (addr/mask/prot/port): (10.50.56.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.255.255.0/255.255.255.0/0/0)
current_peer 116.246.2.126 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 600, #pkts decrypt: 600, #pkts verify: 600
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 195.53.84.20, remote crypto endpt.: 116.246.2.126
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1
current outbound spi: 0x57F4F867(1475672167)

inbound esp sas:
spi: 0x6BF67464(1811313764)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 429, flow_id: Motorola SEC 2.0:429, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4510297/3159)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x57F4F867(1475672167)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 430, flow_id: Motorola SEC 2.0:430, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4510298/3146)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

There are decaps packets, bu no enc.

Again, on the Cisco router I have this ACL for traffic match:

Extended IP access list -SHANGHAI-ASA-L2L
10 permit ip 10.50.56.0 0.0.0.255 10.50.48.0 0.0.0.255 (55 matches)
20 permit ip 10.50.56.0 0.0.0.255 10.255.255.0 0.0.0.255 (600 matches)
30 permit ip 10.50.56.0 0.0.0.255 10.50.41.0 0.0.0.255
40 permit ip 10.50.56.0 0.0.0.255 10.50.46.0 0.0.0.255 (22758 matches)
50 permit ip 10.50.56.0 0.0.0.255 10.50.47.0 0.0.0.255
60 permit ip 10.50.56.0 0.0.0.255 10.50.49.0 0.0.0.255 (320861 matches)
70 permit ip 10.50.56.0 0.0.0.255 10.50.51.0 0.0.0.255 (770167 match

There are match on the ACL for 10.255.255.0

Also a route:

S 10.255.255.0 [1/0] via 116.246.2.126

Kind regards, Jonas

Mr.JoVen · ‎10-18-2018

I've found the issue.

On the Cisco router, there was an NAT ACL.
I had to put in a deny IP 10.50.56.0 0.0.0.255 10.255.255.0 0.0.0.255

Else the traffic would be NAT'et to another interface IP.

Thank you very much for the assistance in the troubleshooting.