Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
0
Helpful
1
Replies

Anyconnect cannot reach to server in remote site with IPSec

Go to solution
hiepduong
Level 1
Level 1

‎02-01-2019 07:53 AM - edited ‎02-01-2019 08:10 AM

My topology Anyconnect -- ASA -- IPSec -- VyoS

 

I dont have any issues with ASA to VyOS, both remote network can ping no problem

I dont have any issues with AnyConnect to ASA , both remote network can ping no problem

 

Problem is AnyConnect cannot reach to any network in the remote site and i plan to use Windows AD authentication for AnyConnect but again, ASA itself and AnyConnect is not able to reach to Windows AD server in remote site

 

When i turn on the debug nat then it said it cannot add the pool to nat table then may it cause the issues?

 

nat: source mapped value is object:Net-SSL_VPN
nat: new pool table element:(outside):172.16.255.0/255.255.255.192
nat: destination mapped value is object:DC-VL_ShareHosting
nat: destination is identity, element not added to nat pool table

 

ASA Version 9.9(2)

ip local pool ssl_VPN-pool 172.16.255.1-172.16.255.62 mask 255.255.255.192

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.255.255.2 255.255.255.252
!
interface GigabitEthernet1/2
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/2.1
vlan 10
nameif VL_HW
security-level 100
ip address 10.0.10.1 255.255.255.0
!


object network VL_HW
subnet 10.0.10.0 255.255.255.0
description VL_HW


object network DC-VL_ShareHosting
subnet 192.168.10.0 255.255.255.0
description DC-VL_ShareHosting

object network Net-SSL_VPN
subnet 172.16.255.0 255.255.255.192
description Net-SSL_VPN

access-list VPN_S2S extended permit ip object VL_HW object DC-VL_ShareHosting

access-list VPN_S2S extended permit ip object Net-SSL_VPN object DC-VL_ShareHosting

access-list split_SSL_VPN standard permit 10.0.10.0 255.255.255.0

access-list split_SSL_VPN standard permit 192.168.30.0 255.255.255.0


nat (VL_HW,outside) source static VL_HW VL_HW destination static DC-VL_ShareHosting DC-VL_ShareHosting

nat (VL_HW,outside) source static VL_HW VL_HW destination static Net-SSL_VPN Net-SSL_VPN no-proxy-arp route-lookup

!
nat (VL_HW,outside) after-auto source dynamic any interface

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hiepduong
Level 1
Level 1

‎02-01-2019 08:44 AM

Because the anyconnect zone stay in outside so that no NAT need to be involve here
"same-security-traffic permit inter-interface
same-security-traffic permit intra-interface"
will help in this case

Last thing relate to AD in remote site which ASA outside cannot reach to, let me work it out and update as case study

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hiepduong
Level 1
Level 1

‎02-01-2019 08:44 AM

Because the anyconnect zone stay in outside so that no NAT need to be involve here
"same-security-traffic permit inter-interface
same-security-traffic permit intra-interface"
will help in this case

Last thing relate to AD in remote site which ASA outside cannot reach to, let me work it out and update as case study
0 Helpful
Customers Also Viewed These Support Documents