AnyConnect client to AnyConnect client conversations

nmfoxton · ‎12-15-2022

Scenario;

ASA5555x v 9.14.1 and ASA v 9.18.2

AnyConnect clients connect and ASA obtains client ip addresses from dhcp via inside interface on 10.173.96.0/19 network.

Clients are unable to establish connections between each other even though "same-security-traffic permit intra-interface" is enabled which used to function on older ASA5550 devices.... yeas ago.

I've been reading up other conversations and not quite reached a conclusion how to fix this, advice would be appreciated.

balaji.bandi · ‎12-15-2022

Client getting IP address, as these 2 client have same Gateway ? (i know you mentioned /19 network and same-security domain)

are they able to ping gateway ? where is the gateway resides ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nmfoxton · ‎12-16-2022

Yes, the gateway is the same for all clients, in this case 10.173.96.1, it is a hsrp address hosted on the local router providing routed access to the rest of the network. Both clients can ping the gateway, just not each other.

Rob Ingram · ‎12-15-2022

@nmfoxton possibly a NAT issue? Create a NAT exemption rule to ensure traffic is not unintentionally translated.

Example:

object network RAVPN
subnet 192.168.10.0 255.255.255.0
!
nat (OUTSIDE,OUTSIDE) source static RAVPN RAVPN destination static RAVPN RAVPN no-proxy-arp

I assume sysopt connection permit-vpn is still configured and you are not filtering the traffic with an ACL or VPN filter?

If that doesn't work, run packet-tracer from the CLI and provide the output for review.

nmfoxton · ‎12-16-2022

object network RAVPN
subnet 10.173.96.0 255.255.224.0

nat (Outside,Outside) source static RAVPN RAVPN destination static RAVPN RAVPN no-proxy-arp

Still no joy

Rob Ingram · ‎12-16-2022

@nmfoxton do you have an ACL or VPN filter that controls VPN traffic?

Can you run packet-tracer from the CLI to simulate the traffic flow, please provide the full output.

MHM Cisco World · ‎12-16-2022

Configure AnyConnect VPN Client U-turn Traffic on ASA 9.X - Cisco

friend for U-turn there are two case
1- tunnel all , and that @Rob Ingram mention how solve it
2- split tunnel, and I think you run split tunnel, here you must add VPN pool to Split ACL to make client to client connection
note:- you dont need NAT @Rob Ingram mention above if you run split tunnel

for more info check link.

nmfoxton · ‎12-16-2022

Ah yes, i use split tunnel exclude ... we split tunnel certain Microsoft sites outside of the tunnel using an acl. I suppose as we use exclude that makes it a little difficult adding the vpn address pool to the acl

MHM Cisco World · ‎12-16-2022

wait split excluded is another story
split exclude is same as tunnel all
so I think you missing one more nat
please confirm you have

nat (outside,outside) source static obj-AnyconnectPool obj-AnyconnectPool
 destination static obj-AnyconnectPool obj-AnyconnectPool 

object network obj-AnyconnectPool <<<<-- this one 
 nat (outside,outside) dynamic interface

nmfoxton · ‎12-16-2022

So this? (I've included routes for info)

object network obj-AnyConnect-Pool
nat (Outside,Outside) source static obj-AnyConnect-Pool obj-AnyConnect-Pool destination static obj-AnyConnect-Pool obj-AnyConnect-Pool no-proxy-arp
!
object network obj-AnyConnect-Pool
nat (Outside,Outside) dynamic interface
!
route Inside 0.0.0.0 0.0.0.0 10.173.96.1 tunneled
route Outside 0.0.0.0 0.0.0.0 158.230.203.161 1
route management 10.172.0.0 255.254.0.0 158.230.84.21 1
route management 158.230.0.0 255.255.0.0 158.230.84.21 1
route Outside 158.230.100.0 255.255.255.0 158.230.203.161 1
route management 172.17.0.0 255.255.0.0 158.230.84.21 1
route Inside 172.17.9.252 255.255.255.255 10.173.96.1 1
route Inside 172.17.213.28 255.255.255.255 10.173.96.1 1
route management 172.20.0.0 255.254.0.0 158.230.84.21 1
route Inside 172.20.31.34 255.255.255.254 10.173.96.1 1

MHM Cisco World · ‎12-16-2022

I think every thing is OK now do you test ?

nmfoxton · ‎12-16-2022

Still no luck so i tried starting again using the instructions from here ..... Configure AnyConnect VPN Client U-turn Traffic on ASA 9.X - Cisco

Obviously i have my groups already working so it's really the NAT i configure and end up with this;

object network obj-inside
subnet 10.173.96.0 255.255.224.0
description Inside network used for clients
object network obj-AnyConnect-clients
range 10.173.96.15 10.173.127.254
description IP Addresses assigned from dhcp to clients

object network obj-inside
nat (Inside,Outside) dynamic interface
object network obj-AnyConnect-clients
nat (Outside,Outside) dynamic interface

Still no joy ... i'm going to take the weekend off and revisit. I's really annoying as i had this working before but i now remember that was with ikev1 on 5550's and it just automatically worked without any additional config.

MHM Cisco World · ‎12-17-2022

object network obj-AnyConnect-clients <<- correct
range 10.173.96.15 10.173.127.254
!
object network obj-AnyConnect-clients <<- correct
nat (Outside,Outside) dynamic interface

!
object network obj-AnyConnect-Pool <<- need to change why ? this what we call auto NAT we need to make it manual NAT
nat (Outside,Outside) source static obj-AnyConnect-Pool obj-AnyConnect-Pool destination static obj-AnyConnect-Pool obj-AnyConnect-Pool no-proxy-arp

!
why there is two object one end with clients and other with Pool ??

nat (Outside,Outside) source static obj-AnyConnect-Pool obj-AnyConnect-Pool destination static obj-AnyConnect-Pool obj-AnyConnect-Pool no-proxy-arp <<<- without add nat under object this nat called manual NAT
!

object network obj-inside <<- correct need for NAT overload the inside host
subnet 10.173.96.0 255.255.224.0
description Inside network used for clients
!
object network obj-inside <<- correct need for NAT overload the inside host
nat (Inside,Outside) dynamic interface
object network obj-AnyConnect-clients
nat (Outside,Outside) dynamic interface

Rob Ingram · ‎12-16-2022

@nmfoxton if you've got the NAT exemption rule and it still isn't working, do you have an ACL or VPN filter that controls VPN traffic?

Can you run packet-tracer from the CLI to simulate the traffic flow, please provide the full output.

tvotna · ‎12-17-2022

@nmfoxton, this is probably expected, because it seems that AnyConnect clients are assigned IPs from the same subnet as inside interface. ASA will send ARP for the destination IP 10.173.96.x to the inside interface, instead of hairpinning the packet to the outside. You can try to add "route-lookup" and remove "no-proxy-arp", but this may not help. BTW, with the below config AnyConnect users should not be able to ping inside router, because the router will also ARP for the AnyConnect client IP and ASA won't respond ("no-proxy-arp").

object network obj-inside
subnet 10.173.96.0 255.255.224.0

object network obj-AnyConnect-clients
range 10.173.96.15 10.173.127.254

object network obj-AnyConnect-Pool
range 10.173.96.15 10.173.127.254

nat (Outside,Outside) source static obj-AnyConnect-Pool obj-AnyConnect-Pool destination static obj-AnyConnect-Pool obj-AnyConnect-Pool no-proxy-arp

object network obj-inside
nat (Inside,Outside) dynamic interface

object network obj-AnyConnect-clients
nat (Outside,Outside) dynamic interface