Solved: Anyconnect IP pool part of LAN subnet?

Larry Sullivan · ‎03-25-2020

I know I've seen this question asked, but I haven't really seen any definitive answers.

Question: Can you have an Anyconnect IP pool that is a portion of a subnet on the inside LAN?

Data:

Firepower 4110 and FMC

Subnet in question 192.168.14.0/23

VPN pool is 192.168.15.128-87

Static on 6500 pointing to Firepower inside interface is ip route 192.168.15.128 255.255.255.192 10.1.1.1

1.) I've done NAT exemption. The VPN clients can reach other private IP subnets on the LAN including the HSRP GW (192.168.14.1) and physical interface IP (192.168.14.5) of the subnet on the 6500 attached to the Firepower. It just can't reach any other IPs in the subnet.

2.) Packet capture on VPN client does not show a ping coming FROM the 6500 192.168.14.5 (timesout) although pings from VPN client 192.168.15.128 to 192.168.14.5 do succeed.

3.) Packet capture w/trace on Firepower from 192.168.14.5 to VPN client 192.168.15.128 will show the packet but no traces or echo replies from VPN client.

My initial thought was to do a static for the VPN pool pointing to the outside interface, but whenever I look under the available networks for destinations, or even create my own object with the VPN pool range and refresh, it isn't an option to choose.

Is it possible to use an IP range from an inside subnet for the VPN pool and have those IPs communicate with the rest of the subnet on the LAN?

Thanks.

Larry Sullivan · ‎03-27-2020

Cristian,

Yeah, I have tracked it down to ARP not traversing the Firepower interface. I tried all combinations of proxy-arp and route lookup to no avail. As a workaround I'm thinking of doing static ARP entries on the 6500.

Edit: Figured it out. Enable proxy-arp and route-lookup. The issue was the SVI on the 6500 had proxy-arp disabled. Enabled that and bam.

View solution in original post

Cristian Matei · ‎03-25-2020

Hi,

I would recommend using a dedicated subnet for the VPN pool, to avoid running into possible problems further down the road. If, for whatever reason you have to keep it as it is, the devices in the specific subnet will ARP in order to reach devices that look to be in the same subnet (like VPN clients that are actually attached behind a layer 3 device, your firewall), so your firewall needs to answer to ARP requests for the VPN pool range on the inside interface. Configure identity NAT for the VPN pool, but ensure to match only the VPN pool range, no other IP's.

Regards,

Cristian Matei.

Larry Sullivan · ‎03-25-2020

Already configured NAT exempt which seems to be the same for this case. Eventually we will implement a new subnet for the VPN pool but for now if there is a way to get this setup to work I need to use it. All documentation I read says to do no proxy-arp on the NAT exempt and some also say to do route lookup. I tried with and with these... no luck. Feel like I'm missing something that could get this working.

Cristian Matei · ‎03-27-2020

Hi,

It has to work, but leave proxy-arp enabled. Route-lookup is needed for your case. So you need proxy-arp and no route-lookup.

How have you configured the "Bypass Access Control Policy for decrypted traffic" ? Based on this, you would need or not need an ACP for VPN traffic. Check this document as a reference.

Regards,

Cristian Matei.

Larry Sullivan · ‎03-27-2020

Cristian,

Yeah, I have tracked it down to ARP not traversing the Firepower interface. I tried all combinations of proxy-arp and route lookup to no avail. As a workaround I'm thinking of doing static ARP entries on the 6500.

Edit: Figured it out. Enable proxy-arp and route-lookup. The issue was the SVI on the 6500 had proxy-arp disabled. Enabled that and bam.