Solved: Re: AnyConnect access over L2L IPSec VPN

Shawn Barrick · ‎08-04-2011

I'm trying to connect two ASA 5505s for a IPSec L2L VPN.  They can connect, but not pass traffic from the 
AnyConnect subnet. I've added the config from ASA-2, with the LAN subnet of 192.168.138.0 and a subnet of 192.168.238.0 for 
AnyConnect client.

I'm trying to get the AnyConnect Clients access to the 192.168.137.0 LAN behind ASA-1 at 1.1.1.1.  
Having both 192.168.238.0 and 192.168.138.0 both access 192.168.137.0 is acceptable.

There's probably a lot of cruft in this config, as I've been reading all over forums and docs without much 
success.  Can someone point me in the right direction?





:
ASA Version 8.2(1) 
!
hostname asa-wal
names
name 192.168.238.0 anyconnect-vpn

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.138.1 255.255.255.0 
!
interface Vlan11
 mac-address c03f.0e3b.1923
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.248 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Munin tcp-udp
 port-object eq 4949
object-group service Webmin tcp
 port-object eq 10000
access-list inside_nat0_outbound extended permit ip 192.168.138.0 255.255.255.0 any 
access-list icmp_ping extended permit icmp any any echo-reply 
access-list icmp_ping extended permit ip 192.168.138.0 255.255.255.0 any 
access-list split-tunnel standard permit 192.168.138.0 255.255.255.0 
access-list 100 extended permit icmp any any echo-reply 
access-list 100 extended permit icmp any any time-exceeded 
access-list 100 extended permit icmp any any unreachable 
access-list NO_NAT extended permit ip anyconnect-vpn 255.255.255.0 any 
access-list NONAT extended permit ip 192.168.138.0 255.255.255.0 anyconnect-vpn 255.255.255.0 
access-list outside_access_in extended permit tcp any interface outside eq ssh 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable  
access-list outside_access_in extended permit tcp 192.168.137.0 255.255.255.0 anyconnect-vpn 255.255.255.0 
access-list outside_1_cryptomap extended permit ip anyconnect-vpn 255.255.255.0 192.168.137.0 255.255.255.0 
access-list inside_nat0_outbound_1 extended permit ip 192.168.138.0 255.255.255.0 anyconnect-vpn 255.255.255.0 
access-list inside_nat0_outbound_1 extended permit ip anyconnect-vpn 255.255.255.0 192.168.137.0 255.255.255.0 
access-list LAN_Traffic extended permit ip anyconnect-vpn 255.255.255.0 192.168.137.0 255.255.255.0 
access-list vpn_nonat extended permit ip anyconnect-vpn 255.255.255.0 192.168.137.0 255.255.255.0 
ip local pool AnyConnect 192.168.238.101-192.168.238.125 mask 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 2 access-list vpn_nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ssh 192.168.138.4 ssh netmask 255.255.255.255 
access-group icmp_ping in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

dynamic-access-policy-record DfltAccessPolicy
 network-acl inside_nat0_outbound
 network-acl NO_NAT
aaa authentication ssh console LOCAL 
http server enable
http bobx-vpn 255.255.255.0 inside
http 192.168.137.0 255.255.255.0 inside
http 192.168.1.104 255.255.255.255 inside
http 192.168.138.0 255.255.255.0 inside
http anyconnect-vpn 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set Wal2Box esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 98.110.179.36 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map Wal2Box 1 match address LAN_Traffic
crypto map Wal2Box 1 set peer 98.110.179.36 
crypto map Wal2Box 1 set transform-set Wal2Box
crypto map Wal2Box interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 22
telnet timeout 5
ssh 192.168.138.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 192.168.138.101-192.168.138.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd domain inc.internal interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.29
ntp server 129.6.15.28 prefer
webvpn
 enable inside
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-filter value NO_NAT
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-network-list value split-tunnel
 webvpn
  svc compression deflate
group-policy Wal-AnyConnect internal
group-policy Wal-AnyConnect attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

tunnel-group DefaultRAGroup general-attributes
 address-pool AnyConnect
 default-group-policy Wal-AnyConnect
 strip-realm
 strip-group
tunnel-group AnyConnectClientProfile type remote-access
tunnel-group AnyConnectClientProfile general-attributes
 address-pool AnyConnect
 default-group-policy Wal-AnyConnect
tunnel-group AnyConnectClientProfile webvpn-attributes
 group-alias AnyConnectVPNClient enable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect pptp 
!
Cryptochecksum:762f0186ad987cda4b450f6b4929cb60
: end

Message was edited by: Shawn Barrick - line breaks

Gustavo Medina · ‎08-05-2011

It looks good Shawn but I just noticed a mistake on the asa-wal, you have a vpn-filter applied on the DfltGrpPolicy and since you don't have any value defined on the Wal-AnyConnect group-policy then is gonna inherit the vpn-filter from the DfltGrpPolicy, remember that vpn-filters must be applied on inbound direction, I mean from the pool to the resources you want them to have access to. This is the ACL you have for the filter:

access-list NO_NAT extended permit ip anyconnect-vpn 255.255.255.0 any

That is not in the inbound direction, besides looks like you want to allow access to anything as long as the traffic is comming from the 192.168.238.0, if that is the case you can do this:

group-policy DfltGrpPolicy attributes

vpn-filter none

Remember to disconnect and reconnect after the above change...

If you actually need to be more specific allowing traffic for the clients then apply the rules on inbound for example:

Your pool in this case is 192.168.238.0 /24 and the local subnet is 192.168.138, for this purpose the 192.168.137 will be considered local too because from the Anyconnect perspective it will be seen as local even though it's a remote network reachable via a L2L tunnel the Anyconnect client does not know it.

The following ACE will allow the Anyconnect client to telnet to the local networks:

access-list vpnfilt-ra permit 192.168.238.0 255.255.255.255 192.168.138.0 255.255.255.0 eq 23

access-list vpnfilt-ra permit 192.168.238.0 255.255.255.255 192.168.137.0 255.255.255.0 eq 23

The following ACE will allow the local networks to telnet to the Anyconnect Client:

access-list vpnfilt-ra permit 192.168.238.0 255.255.255.255 eq 23 192.168.138.0 255.255.255.0

access-list vpnfilt-ra permit 192.168.238.0 255.255.255.255 eq 23 192.168.137.0 255.255.255.0

Notice that the first two ACEs will allow the local network to initiate aconnection to the Anyconnect client on any TCP port if it uses a source port of 23 while the last two ACEs will allow the Anyconnect client to initiate a connection to the local networks on any TCP port if it uses a source port of 23.

Regards,

View solution in original post

Gustavo Medina · ‎08-04-2011

Hello Shawn,

Add these lines to this ASA:

no nat (inside) 2 access-list vpn_nonat

no access-list vpn_nonat extended permit ip anyconnect-vpn 255.255.255.0 192.168.137.0 255.255.255.0

access-list NONAT extended permit ip 192.168.138.0 255.255.255.0 192.168.137.0 255.255.255.0

access-list LAN_Traffic extended permit ip 192.168.138.0 255.255.255.0 192.168.137.0 255.255.255.0

access-list split-tunnel standard permit 192.168.137.0 255.255.255.0

same-security-traffic permit intra-interface

If still doesn't work attach both current configuration and I will take a look at them...

Regards,

Shawn Barrick · ‎08-05-2011

Thanks for your assistance. I made the changes but still no luck.

I've attached both configs.

Gustavo Medina · ‎08-05-2011

Hi Shawn,

It looks good, did you disconnect and reconnect the client?

On the remote end you are missing this line:

access-list NONAT extended permit ip 192.168.137.0 255.255.255.0 waltham-lan 255.255.255.0

Please get the sh-vpnsessiondb det svc on the asa-wal and also get the "sh cry ipsec sa" on both sites.

If possible on the "boxborough-vpn" ASA get the output of the following command:

packet-tracer input inside icmp 192.168.137.5 8 0 192.168.238.5 det

Regards,

Shawn Barrick · ‎08-05-2011

Still no luck, even after a reconnect. I've attached the output you requested. Thanks again for your quick reponses.

Gustavo Medina · ‎08-05-2011