11-24-2010 11:41 AM - edited 02-21-2020 04:59 PM
Hi everyone, I have a 5550 ASA running version 8.2(1) which is being used to tunnel between sites and also serves as remote access server. Anyconnect tcp/udp client traffic that is tunneled to other sites via site-to-site vpn fails.
I get these in the logs (either RST or SYN/ACK)
6 Nov 24 2010 12:06:48 106015 10.13.2.1 80 10.6.1.102 15996 Deny TCP (no connection) from 10.13.2.1/80 to 10.6.1.102/15996 flags RST ACK on interface outside
ICMP traffic is ok as I can ping units in remote sites
10.13.0.0/16 being the remote site and 10.6.1.0/24 being the vpn client subnet
10.6.1.254 is another router connected to the same segment
Internet is being routed to another ASA on the same segment
I have run out of ideas can anyone shed some light ?
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ASA Version 8.2(1)
!
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 22.33.44.55 255.255.255.192
!
interface GigabitEthernet1/0
nameif inside
security-level 100
ip address 10.6.1.249 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object-group network CANADA
network-object 10.6.0.0 255.255.0.0
!
object-group network UK
network-object 10.13.0.0 255.255.0.0
!
access-list nonat extended permit ip object-group CANADA object-group UK
access-list 113 extended permit ip object-group CANADA object-group UK
!
mtu outside 1500
mtu management 1500
mtu inside 1500
ip local pool AnyConnect_Pool1 10.6.1.101-10.6.1.199 mask 255.255.255.0
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 22.33.44.56 1
route inside 10.6.0.0 255.255.0.0 10.6.1.254 1
route inside 0.0.0.0 0.0.0.0 10.6.1.254 tunneled
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD
!
crypto map vpn 113 match address 113
crypto map vpn 113 set peer 100.200.100.200
crypto map vpn 113 set transform-set ESP-AES-256-SHA
crypto map vpn 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy thqmtl_AnyConnect internal
group-policy thqmtl_AnyConnect attributes
wins-server value 10.6.4.10 10.3.4.10
dns-server value 10.6.4.10 10.3.4.10
vpn-simultaneous-logins 3
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock none
split-tunnel-policy tunnelall
default-domain value notimportant.com
vlan none
address-pools value AnyConnect_Pool1
webvpn
svc keep-installer installed
svc rekey time 60
svc rekey method ssl
svc ask none default svc
!
tunnel-group 100.200.100.200 type ipsec-l2l
tunnel-group 100.200.100.200 ipsec-attributes
pre-shared-key *
tunnel-group AnyConnect_SSL type remote-access
tunnel-group AnyConnect_SSL general-attributes
address-pool AnyConnect_Pool1
authentication-server-group LDAP
authentication-server-group (inside) LDAP
default-group-policy thqmtl_AnyConnect
tunnel-group AnyConnect_SSL webvpn-attributes
group-alias AnyConnect_SSL enable
!
: end
11-24-2010 04:35 PM
To start with, the AnyConnect Pool should not be in the same subnet as the inside network, as essentially the AnyConnect pool should really
exist on the outside network.
Secondly, what is the reason of configuring "route inside 0.0.0.0 0.0.0.0 10.6.1.254 tunneled"?
Once you have changed the AnyConnect pool to a unique subnet range, then you would need to add AnyConnect pool subnet to the site-to-site VPN crypto ACL on both side as follows:
On this ASA: access-list 113 permit ip
On the remote ASA: the corresponding ACL and mirror image to the above: access-list
Then you would need to clear the tunnels, and reconnect to the AnyConnect to test the connectivity to the remote site.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide