Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
5
Replies

Anyconnect access to L2L tunnel on separate interface

Go to solution
GJRBaker
Level 1
Level 1

‎04-29-2020 08:16 AM

Hi

 

I have a Lan to Lan tunnel on one interface connected to a hosted environment, and all my VPN users come in via a different interface. Both interfaces external facing, both security 0.

 

My problem is this: Users on my LAN can access the hosted environment fine through the Lan to Lan tunnel however my Anyconnect VPN users can't. I've seen other topics mention VPN hairpinning and my config is setup to allow this however I don't believe this is my issue as both interfaces are separate.

 

I think it may be something to do with routing or VPN flow as if i use the packet tracer tool and pick one of my Anyconnect IP addresses that isn't in use it suggests that the packet is allowed, however if i pick an Anyconnect IP address in use (my own for example) then it claims the packet is dropped.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GJRBaker
Level 1
Level 1
In response to GJRBaker

‎05-13-2020 08:13 AM

Finally sorted this one.

 

It turned out to be a missing PAT statement for traffic originating from the OUTSIDE interface, I.E. Anyconnect users.

For some reason i had it in my head that they would originate from the INSIDE once they connect to the VPN. It was the Packet tracer that suddenly made the lightbulb go on for me.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-29-2020 08:30 AM

Hi,
What security level are both those interfaces?
Do you have NAT exempt rules for traffic between the RAVPN and the Remote sites?
If you could provide your configuration, that might help us determine where the issue lies.

HTH
0 Helpful

Go to solution
GJRBaker
Level 1
Level 1
In response to Rob Ingram

‎04-29-2020 08:41 AM

Hi

Thanks for responding - both interfaces security 0.

 

The nat is more complex as for the Lan to Lan tunnel we're having to do static Nat for server resources on our side due to overlapping network address space within the hosted environment.

 

For users on our side (including VPN client users) we have a PAT rule setup to a single IP address within the agreed Nat subnet. This works fine for users on the LAN but not for Anyconnect VPN users

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to GJRBaker

‎04-29-2020 09:48 AM

Is that PAT rule being hit? Check the counters
Could there be another rule above it that is unintentially being matched?
I assume that PAT address is defined in the ACL for interesting traffic for the L2L VPN?
0 Helpful

Go to solution
GJRBaker
Level 1
Level 1
In response to Rob Ingram

‎04-30-2020 12:12 AM

Hi

 

The PAT rule works for other networks (LAN based) but not the Cisco Anyconnect trafffic so i'm sure it's something to do with that. I've tried moving it to the top of the list but no joy.

 

The PAT addresses are included in the ACL for the L2L VPN.

 

If you do a packet tracer it shows the packet getting through as long as the IP Address isn't allocated to an Anyconnect user. If the IP address is in use it fails. I wondered if it was something to do with the automatic route advertisement for Anyconnect IP addresses but not sure how this works.

0 Helpful

Go to solution
GJRBaker
Level 1
Level 1
In response to GJRBaker

‎05-13-2020 08:13 AM

Finally sorted this one.

 

It turned out to be a missing PAT statement for traffic originating from the OUTSIDE interface, I.E. Anyconnect users.

For some reason i had it in my head that they would originate from the INSIDE once they connect to the VPN. It was the Packet tracer that suddenly made the lightbulb go on for me.

0 Helpful
Customers Also Viewed These Support Documents