Anyconnect cannot reach site-to-site networks even with proper NAT rules and intra-interface allow

P_Tone ATG · ‎05-09-2016

As the title says I've allowed intra-interface traffic and put in the NAT rules you see below. My 2 remote sites and talk to each other just fine, however; anyconnect clients (RUVPN) cannot talk to the remote sites. In fact the traffic doesn't even appear in the logs. It's as if the ASA doesn't process it at all. What is missing? Are other vendors more friendly with hairpinning encrypted traffic?

nat (Outside,Outside) after-auto 1 source static RUVPN RUVPN destination static RemoteSite1 RemoteSite1 no-proxy-arp route-lookup
nat (Outside,Outside) after-auto 1 source static RUVPN RUVPN destination static RemoteSite2 RemoteSite2 no-proxy-arp route-lookup
nat (Outside,Outside) after-auto 2 source static RemoteSite1 RemoteSite1 destination static RemoteSite2 RemoteSite2 no-proxy-arp route-lookup
nat (inside,Outside) after-auto 3 InsideNetworksSansRemote1 InsideNetworksSansRemote1 destination static RemoteSite1 RemoteSite1 no-proxy-arp route-lookup 
nat (inside,Outside) after-auto 4 InsideNetworksSansRemote2 InsideNetworksSansRemote2 destination static RemoteSite2 RemoteSite2 no-proxy-arp route-lookup 

object-group network InsideNetworksSansRemote1
192.168.0.0/20
192.168.128.0/17
192.168.16.0/22
192.168.23.0/24
192.168.24.0/21
192.168.32.0/19
192.168.64.0/18
192.168.20.0/23


object-group network InsideNetworksSansRemote2
192.168.0.0/21
192.168.128.0/17
192.168.14.0/24
192.168.16.0/20
192.168.32.0/19
192.168.64.0/18
192.168.8.0/22
192.168.12.0/23


object network RUVPN
 subnet 192.168.241.0 255.255.255.0


object network RemoteSite1
 subnet 192.168.22.0 255.255.255.0

object network RemoteSite2
 subnet 192.168.15.0 255.255.255.0

Aditya Ganjoo · ‎05-09-2016

Hi,

Are the remote subnets a part of the split tunnel ACL ?

Regards,

Aditya

Please rate helpful posts.

P_Tone ATG · ‎05-10-2016

Yes, annyconnect is configured to tunnel 192.168.0.0/16 the remote sites are configured with a mirror of the to ACLs you see above. I have double and tripple checked those.

I did a bit more digging and I can actually see non-routable replies coming from my ISP router on the Outside interface saying 192.168.x.x is not routable. So the ASA is not tunneling the traffic even though every ACL says to encrypt it. There are 6 remote sites and anyconnect can't reach any of them despite the 241 subnet being included in each ACL so I don't think the issue is in an ACL.

Aditya Ganjoo · ‎05-10-2016

Hi,

Can you run packet-tracer and source the packet tracer from the outside and check the results ?

Regards,

Aditya

Please rate helpful posts.

P_Tone ATG · ‎05-11-2016

Doing a detailed packet tracer and thinking about it a little more I've discovered the problem but I'm still not sure how to solve it gracefully. I'm using dynamic VPNs that can only be initiated from the remote site. So interesting traffic is never being generated to the 192.168.128.0/17 network because there isn't much there other than my anyconnect users and so the ipsec tunnel for that network never comes up.

The remote sites are DHCP and/or multi-homed so dynamic is my only option but is there a way to allow the ASA to initiate ipsec tunnels once the IKE tunnel is up for an aggressive mode setup like that?

Aditya Ganjoo · ‎05-11-2016

Hi,

If the remote site is having a dynamic IP traffic would always be initiated from the dynamic site and that would only trigger the IKE tunnel.

Regards,

Aditya

Please rate helpful posts and mark correct answers.