Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
0
Helpful
6
Replies

Anyconnect doesn't work across BVI interface

VitaliiN
Level 1
Level 1

‎07-14-2023 09:18 AM - edited ‎07-14-2023 09:22 AM

Hello Cisco community.

I have a strange issue when using BVI on an ASA 5506 X. Here is a picture of the current network. I have two interfaces on BVI 1 with one network and 2 interfaces on BVI 100 with another network.
Servers connected to BVI 1 interfaces reach each other, management interfaces of both servers are accesible too from each server. The strange things begins when i try to access outside through anyconnect client - I can reach both management interfaces, but only HV1 interface is accesible through anyconnect vpn. The BVI's configs are the same, i have proper firewall rules for each interface, and same-security-trafic is enabled for intranet interfaces.
Could anyone can help me to handle this?

Thanks in advance

 

Labels:
Preview file
119 KB
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎07-14-2023 09:31 AM

can I see ASA config ?

0 Helpful

VitaliiN
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2023 10:06 AM

Sure, take a look the attachment.

Preview file
20 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to VitaliiN

‎07-14-2023 10:21 AM

your Config is clear correct but 
let test with packet tracer 

packet tracer input outside tcp 172.16.113.50 12345 <HV1 or HV2 IP> 80 detail 

please share output of this

 

0 Helpful

VitaliiN
Level 1
Level 1

‎07-14-2023 11:15 AM

Just to be sure I set up a tiny httpd on 1180 port and checked that it is accessible from the 192.168.113.x network.

Here is the packet tracer output:

packet-tracer input outside tcp 172.16.113.50 12345 192.168.113.18 1180

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (HV1,outside) source static NAT_HV1_LAN NAT_HV1_LAN destination static VPN_USERS VPN_USERS
Additional Information:
NAT divert to egress interface HV1
Untranslate 192.168.113.18/1180 to 192.168.113.18/1180

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: HV1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000560ee785c4bb flow (NA)/NA

It seems that I need to create allowing acl rule for outside, right?

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to VitaliiN

‎07-14-2023 11:52 AM 

access-list global_mpc extended permit ip object NAT_HV1_LAN any4<<- why this ACL ?
0 Helpful

VitaliiN
Level 1
Level 1
In response to MHM Cisco World

‎07-17-2023 05:02 AM

This ACL uses only with service policy rules for traffic inspection.

0 Helpful
Customers Also Viewed These Support Documents