AnyConnect client access problem to remote site-to-site branch

hichamgreen1 · ‎06-15-2020

Hi all,
i have a main site with a 192.168.3.X address (Cisco router 897VA).
I have a branch office with 192.168.4.X address (Cisco router C870).

Site to site vpn work perfecty between two sites.

In main site i have vpn anyconnect configured,and it work fine.

The problem is when i connect to main site(192.168.3.X) through anyconnect i can't reach remote site(192.168.4.X)

My config :

MAIN SITE :

hostname MAINSITE
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login webvpn local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!


ip auth-proxy max-nodata-conns 10
ip admission max-nodata-conns 10
!

!
ip dhcp excluded-address 192.168.3.200 192.168.3.254
ip dhcp excluded-address 192.168.3.1 192.168.3.120
!
ip dhcp pool m-pool
 import all
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1
 dns-server 8.8.8.8 4.4.4.4
 lease 0 23 59
!
!
!
no ip bootp server
no ip domain lookup
ip domain name main.local
ip name-server 8.8.8.8
ip name-server 192.168.3.8
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!

cts logging verbose

!
!
archive
 log config
  hidekeys

!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
!
!
!
!
controller VDSL 0
no cdp run
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key key address Y.Y.Y.Y
crypto isakmp keepalive 10
!


!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set MAINSITE esp-des esp-md5-hmac
 mode tunnel
!

!
crypto map MapMAINSITE 10 ipsec-isakmp
 set peer Y.Y.Y.Y
 set transform-set MAINSITE 
 match address 101
!
!

interface Loopback1
 ip address 192.168.9.1 255.255.255.255
!
interface ATM0
 ip dhcp client client-id Dialer0
 no ip address
 ip nat outside
 ip virtual-reassembly in
 shutdown
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface Ethernet0
 no ip address
!
interface GigabitEthernet0
 no ip address
 no cdp enable
!
interface GigabitEthernet1
 no ip address
!

interface GigabitEthernet8
 mtu 9216
 no ip address
 no ip redirects
 no ip proxy-arp
 duplex full
 speed auto
 media-type rj45
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!

interface Virtual-Template2
 ip unnumbered Loopback1
!
interface Vlan1
 ip address 192.168.3.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 no ip virtual-reassembly in
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface Dialer0
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 no ip route-cache
 ip tcp adjust-mss 1300
 dialer pool 1
 dialer-group 1
 ppp ipcp dns request
 ppp ipcp route default
 no cdp enable
 crypto map MapMAINSITE
!
ip local pool webvpn-pool 192.168.9.80 192.168.9.95
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.3.7	 25 interface Dialer0 25
ip nat inside source static tcp 192.168.3.7 443 interface Dialer0 443
ip nat inside source route-map RouteMapMAINSITE  interface Dialer0 overload
ip nat inside source static tcp 192.168.3.7 80 X.X.X.X 80 route-map RouteM
apREMOTESITE extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit
!
route-map RouteMapMAINSITE permit 20
 match ip address 120
!
access-list 23 permit 192.168.3.0 0.0.0.255
access-list 23 permit 192.168.4.0 0.0.0.255
access-list 23 permit 192.168.9.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 permit ip 192.168.9.0 0.0.0.255 any
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 any
access-list 102 permit tcp host 192.168.3.7 any eq smtp
access-list 102 deny   tcp any any eq smtp
access-list 102 deny   ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 120 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.168.3.0 0.0.0.255 any
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
!
!
!
webvpn gateway MAINSITE-GateWay
 ip interface Dialer0 port 4433
 ssl trustpoint MYSSLVPN_CERT
 inservice
 !
webvpn context MainSite-WebVPN
 title "Mainsite WebVPN Gateway"
 !
 acl "ssl-acl"
   permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
   permit ip 192.168.3.0 255.255.255.0 192.168.3.0 255.255.255.0
   permit ip 192.168.4.0 255.255.255.0 192.168.9.0 255.255.255.0
 login-message "MainSite Secure WebVPN"
 virtual-template 2
 aaa authentication list webvpn
 gateway MAINSITE-GateWay
 !
 ssl authenticate verify all
 inservice
 !
 policy group webvpnpolicy
   acl "ssl-acl"
   functions svc-enabled
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc split include 192.168.9.0 255.255.255.0
   svc split include 192.168.3.0 255.255.255.0
   svc split include 192.168.4.0 255.255.255.0
   svc dns-server primary 8.8.4.4
   svc dns-server secondary 8.8.8.8
 default-group-policy webvpnpolicy
!
end

MAINSITE#

REMOTE SITE :

hostname REMOTESITE
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login webvpn local
aaa authorization exec default local
!
!
aaa session-id common
crypto pki token default removal timeout 0
!
crypto pki trustpoint MY_SSLVPN_CERT
 enrollment selfsigned
 subject-name CN=Z.Z.Z.Z
 revocation-check crl
 rsakeypair MY_SSLVPN_KEYPAIR

dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.4.1 192.168.4.20
!
ip dhcp pool m-pool
   import all
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1
   dns-server 8.8.4.4 8.8.8.8
   lease 0 23 59
!
!
ip cef
no ip bootp server
no ip domain lookup
ip name-server 8.8.8.8
ip auth-proxy max-nodata-conns 10
ip admission max-nodata-conns 10
!
!


crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key REMOTESITEKEY address Y.Y.Y.Y
crypto isakmp keepalive 10
!

crypto ipsec transform-set REMOTESITE esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!

crypto map MapREMOTESITE 10 ipsec-isakmp
 set peer Y.Y.Y.Y
 set transform-set REMOTESITE
 match address 101
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
bridge irb
!
!

interface ATM0
 ip dhcp client client-id Dialer0
 no ip address
 shutdown
 no atm ilmi-keepalive
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
 crypto map MapREMOTESITE
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 switchport access vlan 2
!

interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface Vlan2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 crypto map MapREMOTESITE
!

ip local pool webvpn-pool 192.168.10.80 192.168.10.95
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map RouteMapREMOTESITE interface Dialer0 overload
!
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny   ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 permit icmp any any echo-reply
access-list 120 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 192.168.4.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
route-map RouteMapREMOTESITE permit 1
 match ip address 120
!
!


line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input all
!
scheduler max-task-time 5000
!


REMOTESITE#

Someone could help me to resolve this problem ?

Thank you in advance.

Rob Ingram · ‎06-15-2020

Hi,
You will need to modify the ACL used to define the interesting traffic between the main and branch sites to include the AnyConnect VPN IP address pool network?

Also you will need to check that you do not have a NAT rule inadvertently natting the anyconnect traffic to the branch site.

If you still need further assistance, post your configuration for review and the output of "show crypto ipsec sa"

HTH

hichamgreen1 · ‎06-15-2020

I added my config