06-27-2013 02:16 PM - edited 02-21-2020 06:59 PM
I've been trying to track this issue down for 3 days and I'm at whits end. Configuration is an ASA 5510 8.4(3)12. Subnet of all networks is 1.1.88.0/21. LAN is 1.1.89.0/24 on interface "inside", 1.1.91.0/24 is AnyConnect clients connecting on interface "remote". Site A is 192.168.1.0/24. Desired result is that hosts in LAN can communicate with hosts in Site A and AnyConnect clients, AnyConnect clients can communicate with Site A and LAN, traffic from LAN and AnyConnected is NAT'd out interface "outside".
With this configuration I am able to ping from Site A to LAN, Site A to AnyConnect, LAN to AnyConnect, AnyConnect to LAN, but NOT AnyConnect to Site A. I have no idea why I can't initiate communication for AnyConnect clients to Site A. Conifg:
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 1.1.89.2 255.255.255.0
!
interface Ethernet0/2
nameif remote
security-level 0
dhcp client route distance 10
ip address dhcp setroute
!
interface Ethernet0/3
shutdown
nameif Other
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa843-12-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network AnyConnectClients
range 1.1.91.1 1.1.91.255
description AnyConnect Clients
object network LAN
subnet 1.1.89.0 255.255.255.0
description LAN to Internet
object network MySubnets
subnet 1.1.88.0 255.255.248.0
object network SiteAD
subnet 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object LAN
network-object object AnyConnectClients
object-group network MyNetworks
network-object object LAN
network-object object AnyConnectClients
object-group network VPNSubnets
description All VPN Subnets
network-object object SiteA
object-group network PartnerVPNSubnets
network-object object SiteA
access-list outside_access_in extended permit ip object-group PartnerVPNSubnets object-group MyNetworks
access-list remote_access_in extended permit ip object AnyConnectClients object SiteA
access-list inside_access_in extended permit ip object LAN any
access-list outside_cryptomap_1 extended permit ip object MySubnets object SiteA
access-list remote_access_in_1 extended permit ip object AnyConnectClients any
ip local pool AnyConnectPool 1.1.91.1-1.1.91.255 mask 255.255.255.0
ip verify reverse-path interface outside
nat (remote,outside) source static AnyConnectClients AnyConnectClients destination static PartnerVPNSubnets PartnerVPNSubnets no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static PartnerVPNSubnets PartnerVPNSubnets no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic MySubnets interface
nat (remote,outside) after-auto source dynamic MySubnets interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group remote_access_in_1 in interface remote
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record OffsiteVPNDAP
description "Access policy for remote VPN users"
webvpn
port-forward disable
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
svc ask enable default svc
always-on-vpn profile-setting
aaa-server LDAPDCS protocol ldap
aaa-server LDAPDCS (inside) host LDAPSERVER
user-identity default-domain LOCAL
http server enable
no sysopt connection permit-vpn
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp remote
sysopt noproxyarp Other
sysopt noproxyarp management
group-policyMySSLVPNGP internal
group-policyMySSLVPNGP attributes
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock none
split-tunnel-policy tunnelall
split-tunnel-all-dns enable
msie-proxy method no-modify
vlan none
nac-settings none
address-pools value AnyConnectPool
smartcard-removal-disconnect enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value achieveconsulting.local
split-tunnel-all-dns enable
webvpn
anyconnect profiles value AnyConnectProf type user
group-policy SiteAGroupPolicy internal
group-policy SiteAGroupPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group DefaultRAGroup general-attributes
authentication-server-group LDAPDCS
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool AnyConnectPool
default-group-policyMySSLVPNGP
password-management
06-28-2013 01:08 AM
Shouldn't it be?
same-security-traffic permit intra-interface
Since AnyConnect and Site A are connection via the same IF?
Michael
Please rate all helpful posts
06-28-2013 08:02 AM
Site A's tunnel endpoint is "outside" and AnyConnect clients connect via "remote". We're not trying to hairpin any traffic in and out of the same interface.
06-30-2013 01:09 AM
Hello Michael,
Not sure if this is a typo but:
nat (remote,outside) source static AnyConnectClients AnyConnectClients destination static PartnerVPNSubnets PartnerVPNSubnets no-proxy-arp route-lookup
So I look in the config for the object group PartnerVPNSubnets and Found
object-group network PartnerVPNSubnets
network-object object SiteA
Look for Object SiteA and nothing was found,
Can you confirm if you have that and ofcourse update the ticket,
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
07-01-2013 12:49 PM
This was a typo caused from sterilizing the config. The object for SiteA is:
object network SiteAD
subnet 192.168.1.0 255.255.255.0
07-25-2013 04:06 PM
Anyone with any other ideas? We're still having this issue and have been unable to resolve it.
07-27-2013 02:16 PM
Site a and your mgt interface are on the same subnet?
Sent from Cisco Technical Support iPad App
07-29-2013 10:26 AM
That was also a side effect of sterilizing the config. The actual values for the management interface and site A are not on the same subnet. I removed the management interface info from the config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide