03-27-2020 02:31 AM
Hi All,
looking for suggestions. I am trying to get anyconnect to anyconnect communication going for IT to be able to use VNC as everyone is working from home. Anyconnect is working fine to get to the LAN, browse the Internet etc. Just an issue with anyconnect to anyconnect communication. However they can ping each other fine.
Have the NAT in place
1 (OUTSIDE) to (OUTSIDE) source static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL destination static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL no-proxy-arp route-lookup translate_hits = 50, untranslate_hits = 50
Access list for testing allowing 1 machine out to anywhere
access-list SSL-STAFF_ACCESS line 1 extended permit ip host 10.68.150.80 any (hitcnt=152) 0x550caee4
Routes for the anyconnect clients point to outside when connected.
But when I test it out it doest work and ASDM tells me the traffic is being denied even though its allowed
4 Mar 27 2020 09:10:19 106103 access-list SSL-STAFF_ACCESS denied tcp for user '****' OUTSIDE/10.68.150.80(62448) -> OUTSIDE/10.68.150.141(5900) hit-cnt 1 first hit [0x7d4dcd45, 0x0]
4 Mar 27 2020 09:10:11 106103 access-list SSL-STAFF_ACCESS denied tcp for user '****' OUTSIDE/10.68.150.80(62448) -> OUTSIDE/10.68.150.141(5900) hit-cnt 1 first hit [0x7d4dcd45, 0x0]
any suggestion?
thanks
Gary
03-27-2020 02:38 PM
do you have config "same-security-traffic permit intra-interface"
03-30-2020 01:09 AM
H BB,
thanks for the suggestion but I already have that in place
03-28-2020 04:29 AM - edited 03-28-2020 04:29 AM
You should check
1. That local rules(on PCs) are allow connection
2. That all VPN Netwroks are in split acl(If you have split tunnel)
3. No DAP policy that prevents this traffic.
4. Same interface traffic permit(same-security-traffic permit intra-interface)
Hope this helps
03-30-2020 01:12 AM
Thanks AZ,
1) I have installed wireshark on the PC and the traffic isn't even making it so the Firewall must be dropping
2) No split tunneling in this situation - everything is being tunneled
3) No DAP policy present
4) Already in place
Thanks for the suggestions
03-30-2020 01:32 AM
I feel that problem in NAT. But do not able understand where is it.
Do you able to provide full config?
03-30-2020 01:58 AM
Hi AZ,
I can't post the whole config unfortunately.
The NAT around the anyconnect is as follows
global PAT
object network ANYCONNECT-STAFF-POOL
nat (OUTSIDE,OUTSIDE) dynamic interface
NONAT
nat (OUTSIDE,OUTSIDE) source static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL destination static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL no-proxy-arp route-lookup
the thing that is really throwing me off is the anyconnect access list - even though I have allowed the traffic ASDM tells me the same access list is dropping it
access-list SSL-STAFF_ACCESS extended permit ip host 10.68.150.75 any
4 Mar 30 2020 09:23:05 106103 access-list SSL-STAFF_ACCESS denied tcp for user '****' OUTSIDE/10.68.150.75(50296) -> OUTSIDE/10.68.150.56(5900) hit-cnt 1 first hit [0x7d4dcd45, 0x0]
I do have a case with TAC at the moment but they are pretty stumped also and in light of whats happening in the world pretty slow to respond (understandable though)
I'll update the post once I get an answer
Cheers
03-30-2020 02:41 AM
Hi,
Where and how is that ACL enforced?
Regards,
Cristian Matei.
03-30-2020 01:55 AM
Hi,
Can you post the output of the following "show run all same", "show run all sysopt", "show run access-group", "show access-list xyz", " show run group-policy xyz", "show run nat", "show run ip local pool".
Regards,
Cristian Matei.
03-30-2020 03:37 AM
Thanks Cristian,
I would rather not post all from show run nat - if there is something specific you are looking for let me know. From the NAT side this is line 1 of the nonat so it will be hit first
nat (OUTSIDE,OUTSIDE) source static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL destination static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL no-proxy-arp route-lookup
and this is the PAT for the group
object network ANYCONNECT-STAFF-POOL
nat (OUTSIDE,OUTSIDE) dynamic interface
here are the rest of the commands
show run all same
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
show run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp SERVICES
no sysopt noproxyarp OUTSIDE
no sysopt noproxyarp MANAGED
no sysopt noproxyarp MULTIMEDIA
no sysopt noproxyarp inside
no sysopt noproxyarp HOSTING
no sysopt noproxyarp GUEST-WIFI
no sysopt noproxyarp WLL
no sysopt noproxyarp DMZ
no sysopt noproxyarp MERAKI-DMZ
access-group OUTSIDE_IN in interface OUTSIDE
access-group MANAGED-ACCESS_IN in interface MANAGED
access-group INSIDE_OUT in interface inside
access-group HOSTING in interface HOSTING
access-group WLL_OUT in interface WLL
access-group DMZ in interface DMZ
access-group MERAKI-DMZ-IN in interface MERAKI-DMZ
Show run access-list
access-list SSL-STAFF_ACCESS extended permit ip host 10.68.150.75 any
access-list SSL-STAFF_ACCESS extended permit ip ANYCONNECT-STAFF-POOL host 172.30.80.81
access-list SSL-STAFF_ACCESS extended permit ip ANYCONNECT-STAFF-POOL 172.20.0.0 255.255.0.0
access-list SSL-STAFF_ACCESS extended permit tcp ANYCONNECT-STAFF-POOL host 10.68.0.2 eq 3389
access-list SSL-STAFF_ACCESS extended permit tcp ANYCONNECT-STAFF-POOL host 10.68.0.1 eq 3389
access-list SSL-STAFF_ACCESS extended permit ip ANYCONNECT-STAFF-POOL host 172.30.80.37
access-list SSL-STAFF_ACCESS extended permit ip object ANYCONNECT-STAFF-POOL object LAN-IPs
access-list SSL-STAFF_ACCESS extended permit tcp object-group ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL object-group VNC_PORTS
access-list SSL-STAFF_ACCESS extended permit ip ANYCONNECT-STAFF-POOL host 172.30.80.80
access-list SSL-STAFF_ACCESS remark *** Allow Teamviwer ***
access-list SSL-STAFF_ACCESS extended permit tcp ANYCONNECT-STAFF-POOL any eq 5938
access-list SSL-STAFF_ACCESS extended permit udp ANYCONNECT-STAFF-POOL any eq 5938
access-list SSL-STAFF_ACCESS extended permit icmp object-group ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL
access-list SSL-STAFF_ACCESS extended deny ip any any
show run group-policy GP-AC-STAFF
group-policy GP-AC-STAFF internal
group-policy GP-AC-STAFF attributes
banner value Warning:
banner value This system is restricted to authorized users for business purposes only and is subject to the Security Policy.
banner value Unauthorized access or use is a violation of company policy and the law.
banner value
banner value This system may be monitored for administrative and security reasons.
banner value By proceeding, you acknowledge that you have read and understand this notice and you consent to the system monitoring.
wins-server none
dns-server value 10.68.0.111 10.68.0.112
vpn-simultaneous-logins 3
vpn-idle-timeout 20
vpn-filter value SSL-STAFF_ACCESS
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value *******
split-dns value *****
msie-proxy server value 10.68.0.241:8080
msie-proxy method use-server
msie-proxy except-list value *************
msie-proxy local-bypass enable
msie-proxy lockdown disable
webvpn
anyconnect ssl dtls none
anyconnect dtls compression none
anyconnect ssl df-bit-ignore enable
ip local pool STAFF-SSL 10.68.150.25-10.68.150.200 mask 255.255.255.0
03-30-2020 05:24 AM
Hi,
I just wanna make sure that i understood correctly. Everything works fine except for Anyconnect to Anyconnect traffic, correct? Can you try the following:
1. Remove the VPN filter, this should impose no restrictions, and AC to AC should work, just to confirm
2. Reapply the filter, as follows (i created another object, as i was not sure of the one you're using, if it has the correct mask/range specified); for the new filter to be correctly applied in the ASP path, you would need to reconnect the AC sessions:
no access-list SSL-STAFF_ACCESS extended permit ip host 10.68.150.75 any
!
object network VPN_POOL
subnet 10.68.150.0 255.255.255.0
!
access-list SSL-STAFF_ACCESS line 1 extended permit ip object VPN_POOL object VPN_POOL
Does it work? If not, can you disconnect the users, enable the following debug "debug acl filter", reconnect the users and post the debug output and the output of the following: "show asp table filter hits", "show asp table filter access-list SSL-STAFF_ACCESS", "show vpn-sessiondb detail anyconnect".
Regards,
Cristian Matei.
03-30-2020 06:43 AM
Hi Cristian,
that is correct - Anyconnect to LAN / LAN to Anyconnect are all fine - just anyconnect to anyconnect is the issue
I have a lot of users using anyconnect at the moment so am reluctant to remove filters and kick people out. I will attempt your suggestions this evening outside of working hours and post back with the results
thanks for the suggestions
Gary
03-31-2020 04:27 AM
Hi Cristian,
I didnt get sign off from business to test last night so couldnt carry out the testing.
I got a remote session with Cisco this morning on the issue. It turns out the access list is ignoring TCP allows. This does not work but sticking in an IP rule does. Engineer was an Anyconnect VPN engineer and was not sure why so the case has been escalated to the Firewall team for further investigation.
TCP rule
access-list SSL-STAFF_ACCESS extended permit tcp object-group ANYCONNECT-STAFF-POOL object-group ANYCONNECT-STAFF-POOL object-group VNC_PORTS
IP rule
access-list SSL-STAFF_ACCESS extended permit ip object-group ANYCONNECT-STAFF-POOL object-group ANYCONNECT-STAFF-POOL
regards
03-31-2020 04:50 AM
Hi,
Are you saying that the VPN Filter ACL haha s to contain IP only statements? I consider this to be a false statement, as VPN filter functionality was pretty much designed to restrict VPN traffic at layer4, since you can only push network routes to the remote VPN client, as in the routing table you can't install TCP or UDP routes. What i'm trying to say is that regardless if you use split-tunnelling or full-tunnelling, you push over to remote AnyConnect some network routes, and the only way to filter the IP traffic within the tunnel is via the VPN filter, where you are allowed to use TCP/UDP statements.
In your case, since you want to allow all IP traffic, it makes sense to use IP statements, but not because TCP/UDP statements in VPN filter are ignored. This is not true and look like a bug.
Regards,
Cristian Matei.
03-31-2020 04:58 AM
Hi Cristian,
I think you misunderstood me. I didnt say you cannot use them but that they are not working for me.
I also think this is a bug on my Firewall.
Its with Cisco Firewall team now anyway and they will inform me what they find.
Thanks for the suggestions all the same
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide