05-11-2017 03:44 PM
Hello,
I'm curious as to why I can reach our 10.0.0.0/8 network from the AnyConnect VPN pool 192.168.200.100-.200, but not our 172.16.250.0/24 network. The setup is identical on our 5555-X. Do I need a "route-lookup" statement on the (NO DICE) nat? (seen below) 172.16.250.0/24 is statically routed on our ASA.:
object network obj-192.168.200.0
subnet 192.168.200.0 255.255.255.0
####
ip local pool VPN-remote 192.168.200.100-192.168.200.200 mask 255.255.255.0
####
access-list VPNIT_splitTunnelAcl standard permit 172.16.250.0 255.255.255.0
nat (inside,any) source static obj-172.16.250.0 obj-172.16.250.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp
####
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.200.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any4 192.168.200.0 255.255.255.0
access-list cin extended permit ip host 192.168.200.100 host 10.100.10.10 (WORKS FINE)
access-list cin extended permit ip host 10.100.10.10 host 192.168.200.100 (WORKS FINE)
access-list cin extended permit ip host 192.168.200.100 host 172.16.250.5 (DOESN'T WORK)
access-list cin extended permit ip host 172.16.250.5 host 192.168.200.100 (DOESN'T WORK)
nat (any,outside) source static any any destination static obj-192.168.200.0 obj-192.168.200.0
nat (inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp (WORKS FINE)
nat (inside,any) source static obj-172.16.250.0 obj-172.16.250.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp (NO DICE)
####
C 172.16.250.0 255.255.255.0 is directly connected, management
S 172.16.0.0 255.255.0.0 [1/0] via 10.100.10.1, inside
#####
route inside 10.0.0.0 255.0.0.0 10.100.10.1 1
route inside 172.16.0.0 255.255.0.0 10.100.10.1 1
route management 10.100.0.0 255.255.0.0 172.16.250.1 1
#####
Anyconnect client is showing 172.16.250.0/24 within its secured routes (see attached).
Thank you in advance.
05-13-2017 10:59 AM
Hello,
try to configure your split tunnel ACL like this:
access-list VPNIT_splitTunnelAcl standard permit any4
What does your group policy look like ? Can you post the full config ?
05-14-2017 03:52 PM
I removed the 3 ACL's seen below and replaced them with what you recommended: "access-list VPNIT_splitTunnelAcl standard permit any4." No sooner did I do this then my home connection to the internet dropped (the AnyConnect tunnel stayed up. I just couldn't get out to the internet from my PC [DNS servers were no where to be found]). I could not get to 172.16.250.0/24, but could still get to the only switch I could always get to: 10.20.6.1/24 via AnyConnect.
VPN-REMOTE (THE ONE I USE):
ip local pool VPN-remote 192.168.200.100-192.168.200.200 mask 255.255.255.0
#####
tunnel-group VPNIT type remote-access
tunnel-group VPNIT general-attributes
address-pool VPN-remote
authentication-server-group AAAServers
default-group-policy VPNIT
tunnel-group VPNIT
webvpn-attributes
group-alias VPNIT enable
tunnel-group VPNIT ipsec-attributes
ikev1 pre-shared-key *****
######
access-list VPNIT_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list VPNIT_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list VPNIT_splitTunnelAcl standard permit 172.16.250.0 255.255.255.0
ADDING THESE THREE ACL'S (ABOVE) BACK AFTER REPLACING THEM WITH THE ACL YOU SUGGESTED BROUGHT MY HOME INTERNET BACK UP IMMEDIATELY.
######
group-policy VPNIT internal
group-policy VPNIT attributes
banner value WARNING! You are attempting to login to the XXXXXX. If you are not authorized, disconnect now! Violators will be prosecuted.
dns-server value 10.20.6.10 10.20.6.60
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNIT_splitTunnelAcl
default-domain value local.XXXXXXXX.org
ssh to a switch on our 172.16.250.0/24 = cannot connect and NO hit count (below). This is also what occurred when replacing these ACL's with the one you recommended (ASA(config)# no access-list VPNIT_splitTunnelAcl standard permit any4)
#####
ASA# sho access-list VPNIT_splitTunnelAcl
access-list VPNIT_splitTunnelAcl; 3 elements; name hash: 0x79907cff
access-list VPNIT_splitTunnelAcl line 1 standard permit 10.0.0.0 255.0.0.0 (hitcnt=0) 0x599a0572
access-list VPNIT_splitTunnelAcl line 2 standard permit 172.16.0.0 255.255.0.0 (hitcnt=0) 0x420bf8d2
access-list VPNIT_splitTunnelAcl line 3 standard permit 172.16.250.0 255.255.255.0 (hitcnt=0) 0x5c5248e8
#####
ASA# sho access-list VPNIT_splitTunnelAcl
access-list VPNIT_splitTunnelAcl; 1 elements; name hash: 0x79907cff
access-list VPNIT_splitTunnelAcl line 1 standard permit any4 (hitcnt=0) 0x7cd6f726
#####
ATTACHMENT: Shows what occurs on the AnyConnect client when I added the ACL you provided.
05-15-2017 12:45 AM
Hello,
sorry for the misunderstanding, I thought your split tunnel access list contained just the one line you originally posted.
Either way, make sure you have the below configured:
access-list VPNIT_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list VPNIT_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network NETWORK_OBJ_172.16.0.0_16
subnet 172.16.0.0 255.255.0.0
ip local pool VPN-remote 192.168.200.100-192.168.200.200 mask 255.255.255.0
nat (inside, outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8
destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp
route-lookup
nat (inside, outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16
destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp
route-lookup
05-30-2017 03:14 PM
Thank you for your suggestions, however, it still does not work. Here is the entire layout of the AnyConnect VPN:
object network obj-192.168.200.0
subnet 192.168.200.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network obj-172.16.0.0
subnet 172.16.0.0 255.255.0.0
#########################
access-list VPNIT_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list VPNIT_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
#########################
nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup
#########################
group-policy VPNIT internal
group-policy VPNIT attributes
banner value WARNING! You are attempting to login to XXXXX. If you are not authorized, disconnect now! Violators will be prosecuted.
dns-server value 10.20.6.10 10.20.6.60
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNIT_splitTunnelAcl
default-domain value xxxx.xxxxxx.com
########################
tunnel-group VPNIT type remote-access
tunnel-group VPNIT general-attributes
address-pool VPN-remote
authentication-server-group AAAServers
default-group-policy VPNIT
tunnel-group VPNIT webvpn-attributes
group-alias VPNIT enable
tunnel-group VPNIT ipsec-attributes
ikev1 pre-shared-key *****
########################
route inside 10.0.0.0 255.0.0.0 10.100.10.1 1
route inside 172.16.0.0 255.255.0.0 10.100.10.1 1
I have a feeling it has something to do with this:
ON ASA ITSELF:
C 172.16.250.0 255.255.255.0 is directly connected, management
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide