Solved: AnyConnect U-Turn for Specific Public IP

mumbles202 · ‎04-06-2020

Currently have AnyConnect setup working for remote access to internal resources. Now I'm trying to set it up so that remote access clients have access to a single public ip (say 1.1.1.1) through the tunnel w/o enabling tunnelall.

I modified the configuration as follows:

same-security-traffic permit intra-interface

access-list anyconnect standard permit 1.1.1.1 255.255.255.255

object network obj-Anyconnect-24
nat (management,management) dynamic interface

where the ACL anyconnect is what is in use in the GP and the object obj-Anyconnect-24 aligns w/ the ip pool setup for Anyconnect users. This is a ASAv in Azure so the public ip is on the management interface. Packet tracer shows the packets should hit the correct nat policy but it shows a drop (I've tested w/ the source ip of both a connected and non-connected user to rule it out). Am I missing something or do I need to tunnel all traffic for this to work?

Sheraz.Salim · ‎04-06-2020

I am not sure but this is an interesting one.

same-security-traffic permit intra-interface

object network obj-Anyconnect-2
nat (management,management) source dynamic obj-Anyconnect-2 interface

This above configuration tell the remote user you can go to google (as an example) with ASA managment source (public) ip.

!

access-list anyconnect standard permit 1.1.1.1 255.255.255.255

nat (management,management) source static any any destination static obj-Anyconnect-2 obj-Anyconnect-2 no-proxy-arp route-lookup

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎04-06-2020

I am not sure but this is an interesting one.

same-security-traffic permit intra-interface

object network obj-Anyconnect-2
nat (management,management) source dynamic obj-Anyconnect-2 interface

This above configuration tell the remote user you can go to google (as an example) with ASA managment source (public) ip.

!

access-list anyconnect standard permit 1.1.1.1 255.255.255.255

nat (management,management) source static any any destination static obj-Anyconnect-2 obj-Anyconnect-2 no-proxy-arp route-lookup

please do not forget to rate.

mumbles202 · ‎04-06-2020

Thanks for the post. I'll try to apply this and test. Curious, if there is also this configuration would there be any issue:

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj_any
nat (any,management) dynamic interface

Sheraz.Salim · ‎04-06-2020

try this

nat (any,management) source static any any destination static obj-Anyconnect-2 obj-Anyconnect-2 no-proxy-arp route-lookup

also could you change it to tunnel all and try if it works

please do not forget to rate.

mumbles202 · ‎04-07-2020

Thanks for the assistance. Changed this

object network obj-Anyconnect-2
nat (management,management) source dynamic obj-Anyconnect-24 interface

and

nat (management,management) source static any any destination static obj-Anyconnect-24 obj-Anyconnect-24 no-proxy-arp route-lookup

and removed the old nat's and that worked out.

Sheraz.Salim · ‎04-07-2020

wow interesting to be honest i was very keen to see this working and was waiting for your response. glad it work out for you.

please do not forget to rate.