Anyconnect unable to access branchoffices

Robbert Tol · ‎09-15-2017

Hi there,

I'm struggeling with the following:

Situation is as follow:

I have an ASA 5512X on our main office (LAN 192.168.12.X and 192.168.14.X). Behind the ASA in the LAN Network is an router which is connected to route to 2 other offices with there own network subnet (192.168.10.x and 192.168.15.x)

When we make an VPN Anyconnect connection, i can ping and connect to devices in the 192.168.12.x and 192.168.14.x network. But i cannot access or ping 192.168.10x and 192.168.15.0 which are reachable via router 192.168.12.100.

Below the config of the asa 5512X, please advise.

: Saved

:
: Serial Number: FCH210676AV
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
: Written by admin at 16:09:58.647 CEDT Fri Sep 15 2017
!
ASA Version 9.6(3)1
!
hostname ASA5512X-VBK
domain-name company.local
enable password rkFxeLNX6Jlr4Q/9 encrypted
names
ip local pool DHCP-VPN-Clients 10.0.0.1-10.0.0.100 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 172.99.99.134 255.255.255.248
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 192.168.12.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet0/3
nameif WLAN
security-level 20
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa963-1-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup WAN
dns domain-lookup LAN
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ASA5512X-company
host 172.99.99.134
description WAN Address Cisco ASA 5512-X company
object network mailserver_Server_LAN
host 192.168.12.44
description company Microsoft Exchange 2010 Server LAN
object network mailserver_Server_WAN
host 172.99.99.130
description company Microsoft Exchange 2010 Server WAN
object network VLAN20-Subnet
subnet 192.168.20.0 255.255.255.0
description VLAN 20 Subnet company Camera LAN
object network mailserver_Server_LAN_SMTP
host 192.168.12.44
description company Microsoft Exchange 2010 Server LAN SMTP
object network mailserver_Server_LAN_HTTPS
host 192.168.12.44
description company Microsoft Exchange 2010 Server LAN HTTPS
object network Outside_CAM_WAN
host 172.99.99.132
object network CameraNAS_HTTP_LAN
host 192.168.20.200
description company Camera NAS DMZ
object network CameraNAS_LAN
host 192.168.20.200
description company Camera NAS DMZ
object network company_Network
subnet 0.0.0.0 0.0.0.0
object network WLAN_WAN
subnet 192.168.100.0 255.255.255.0
object network VLAN14_Gateway
host 192.168.14.201
object network location3
subnet 192.168.10.0 255.255.255.0
object network Luna_Server_LAN
host 192.168.12.42
object network Luna_Server_WAN
host 172.99.99.131
object service FTP_60510
service tcp source eq 60510 destination eq 60510
description FTP Service Luna 60510
object network Luna_Server_LAN_FTP
host 192.168.12.42
description company Luna FTP
object network Luna_Server_LAN_FTP-DATA
host 192.168.12.42
description company Luna FTP-DATA
object network Luna_Server_LAN_FTP60510
host 192.168.12.42
description company Luna FTP60510
object network Luna_Server_LAN_FTP_DATA
object network Inside-Camera
host 192.168.20.200
object network DMZ-Network
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network ZWWinkel
subnet 192.168.14.0 255.255.255.0
object network location2
subnet 192.168.15.0 255.255.255.0
object-group service mailserver-Services
service-object tcp destination eq smtp
service-object tcp destination eq https
object-group network INTERNAL-NETWORKS
description All Internal Networks
network-object 192.168.10.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
network-object 192.168.14.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
object-group service Camera-Services
service-object tcp destination eq www
object-group network mainlocation_Subnet
network-object 192.168.12.0 255.255.255.0
network-object 192.168.14.0 255.255.255.0
object-group service Luna-Services
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object object FTP_60510
access-list outside_inside extended permit icmp any any echo
access-list outside_inside extended permit udp any any range 33434 33523
access-list outside_inside extended permit icmp any any time-exceeded
access-list outside_inside extended permit icmp any any source-quench
access-list outside_inside extended permit icmp any any echo-reply
access-list outside_inside extended permit icmp any any unreachable
access-list outside_inside extended permit object-group mailserver-Services any object mailserver_Server_LAN
access-list outside_inside extended permit object-group Camera-Services any object CameraNAS_LAN
access-list outside_inside extended permit object-group Luna-Services any object Luna_Server_LAN
access-list outside_inside extended deny ip any any
access-list ICMPACL extended permit icmp any any
access-list outbound extended permit tcp host 192.168.12.44 any eq smtp
access-list outbound extended deny tcp any any eq smtp
access-list outbound extended permit ip any any
access-list Internal-LAN standard permit 192.168.12.0 255.255.255.0
access-list Internal-LAN standard permit 192.168.10.0 255.255.255.0
access-list Internal-LAN standard permit 192.168.15.0 255.255.255.0
access-list Internal-LAN standard permit 192.168.14.0 255.255.255.0
access-list Internal-LAN standard permit 192.168.20.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
mtu WLAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
arp rate-limit 8192
nat (LAN,WAN) source static any any destination static NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 no-proxy-arp route-lookup
!
object network mailserver_Server_LAN
nat (LAN,WAN) static mailserver_Server_WAN
object network mailserver_Server_LAN_SMTP
nat (LAN,WAN) static mailserver_Server_WAN service tcp smtp smtp
object network mailserver_Server_LAN_HTTPS
nat (LAN,WAN) static mailserver_Server_WAN service tcp https https
object network CameraNAS_HTTP_LAN
nat (DMZ,WAN) static Outside_CAM_WAN service tcp www www
object network company_Network
nat (LAN,WAN) dynamic interface
object network WLAN_WAN
nat (WLAN,WAN) dynamic interface
object network Luna_Server_LAN_FTP
nat (LAN,WAN) static Luna_Server_WAN service tcp ftp ftp
object network Luna_Server_LAN_FTP-DATA
nat (LAN,WAN) static Luna_Server_WAN service tcp ftp-data ftp-data
object network Luna_Server_LAN_FTP60510
nat (LAN,WAN) static Luna_Server_WAN service tcp 60510 60510
access-group outside_inside in interface WAN
access-group outside_inside in interface DMZ
route WAN 0.0.0.0 0.0.0.0 172.99.99.129 1
route LAN 192.168.10.0 255.255.255.0 192.168.12.100 1
route LAN 192.168.14.0 255.255.255.0 192.168.14.201 1
route LAN 192.168.15.0 255.255.255.0 192.168.12.100 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
aaa-server VBK-Radius protocol radius
aaa-server VBK-Radius (LAN) host 192.168.12.43
key *****
radius-common-pw **********
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 LAN
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint vpn.company.nl
enrollment terminal
subject-name CN=vpn.company.nl,OU=ICT,O=company BV,C=NL,St=Zuid-Holland
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn.company.nl
certificate 776dbc8a918b3823c4c3b68eb379a36f
    3082055d 30820445 a0030201 02021077 6dbc8a91 8b3823c4 c3b68eb3 79a36f30
    0d06092a 864886f7 0d01010b 05003081 90310b30 09060355 04061302 4742311b
    30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
    03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
    41204c69 6d697465 64313630 34060355 0403132d 434f4d4f 444f2052 53412044
    6f6d6169 6e205661 6c696461 74696f6e 20536563 75726520 53657276 65722043
    41301e17 0d313730 37313030 30303030 305a170d 32303037 30393233 35393539
    5a305731 21301f06 0355040b 1318446f 6d61696e 20436f6e 74726f6c 2056616c
    69646174 65643114 30120603 55040b13 0b506f73 69746976 6553534c 311c301a
    06035504 03131376 706e2e62 656d6d65 6c2d6b72 6f6f6e2e 6e6c3082 0122300d
    06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a4 e56f46d8
    a5002fdd 2498943e 53076e8c e4953dcc 2d0ac1fe cbdd2a47 90bbd154 e5787660
    50e3c261 31a7c7d1 58f3a7cb ddc16989 5248aa16 d2e71c32 f88b30ee 2f432e5e
    3b542ad4 1413f360 bc8e3fe2 6bd53344 4e8035bb 039e9f56 41909343 f0f88a5e
    06ebb4f3 e41ae8e4 1b540089 8de5ba6f 94d3fa17 d3c4689c 5c41069a 4fb861e4
    5be736de 9f45ff69 cd410c86 1f6c7f82 f862f408 5a514194 6cd740ac 7fc38d60
    2eb0a3fd dda3ce2d d1e42830 d4e6633b 07360f44 ae85c2a2 81592f28 6d5b6663
    eadf51c4 98b3b59b d7d3bc33 e8f9726f 6870352a d19ed052 66428988 5a8e952d
    7866731e 4bf2aeb5 c49b1b0d 8d09249c 778702ab 8a0ae988 e0269f02 03010001
    a38201e9 308201e5 301f0603 551d2304 18301680 1490af6a 3a945a0b d890ea12
    5673df43 b43a28da e7301d06 03551d0e 04160414 848ea047 78747a13 40c52e5c
    82543cb5 c448e14b 300e0603 551d0f01 01ff0404 030205a0 300c0603 551d1301
    01ff0402 3000301d 0603551d 25041630 1406082b 06010505 07030106 082b0601
    05050703 02304f06 03551d20 04483046 303a060b 2b060104 01b23101 02020730
    2b302906 082b0601 05050702 01161d68 74747073 3a2f2f73 65637572 652e636f
    6d6f646f 2e636f6d 2f435053 30080606 67810c01 02013054 0603551d 1f044d30
    4b3049a0 47a04586 43687474 703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d
    2f434f4d 4f444f52 5341446f 6d61696e 56616c69 64617469 6f6e5365 63757265
    53657276 65724341 2e63726c 30818506 082b0601 05050701 01047930 77304f06
    082b0601 05050730 02864368 7474703a 2f2f6372 742e636f 6d6f646f 63612e63
    6f6d2f43 4f4d4f44 4f525341 446f6d61 696e5661 6c696461 74696f6e 53656375
    72655365 72766572 43412e63 72743024 06082b06 01050507 30018618 68747470
    3a2f2f6f 6373702e 636f6d6f 646f6361 2e636f6d 30370603 551d1104 30302e82
    1376706e 2e62656d 6d656c2d 6b726f6f 6e2e6e6c 82177777 772e7670 6e2e6265
    6d6d656c 2d6b726f 6f6e2e6e 6c300d06 092a8648 86f70d01 010b0500 03820101
    0085fa8d fa7f4006 43d4b5a0 c1876130 14b3e7f6 b637f477 99d95aaf 408a36a2
    97c37e6b 2dc08b8e 9605d650 6190d799 b8427472 69284993 238d0bd2 422db8ae
    ce1eddad 6e7b7de8 adbee03c 3dfaecc8 dcb973ff 4c4984c5 7b869514 ee1fd4af
    7120c457 7a1d658d 42748e94 beb87e2d 7c32a51d 030ad564 92f41f94 ad3b1f8a
    d7a6b602 aff948c9 5be324fa 3dfcb32b 77ade144 6173e2f9 3e5bac5c e1676d2c
    fce89762 5898610e 0a4d9eb5 c5526ee4 70cb4ea4 4cfa6094 ab94bec2 9c6e371b
    89531033 253e8f5e c7aa6de8 a3b62158 9b3c8d30 d6574cbe c01077de 62d40268
    ce471630 ea7321ab dbcdfa19 4bb0385a a9d7e685 032a2b68 de2d1a30 75178fb7
    8d
quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 LAN
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh cipher encryption all
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.100.1-192.168.100.200 WLAN
dhcpd dns 8.8.8.8 8.8.4.4 interface WLAN
dhcpd enable WLAN
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.12.43 source LAN prefer
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point vpn.company.nl WAN
ssl trust-point vpn.company.nl LAN
ssl trust-point vpn.company.nl DMZ
webvpn
enable WAN
anyconnect image disk0:/anyconnect-macos-4.5.00058-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.5.00058-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_vpn.company.nl internal
group-policy GroupPolicy_vpn.company.nl attributes
wins-server none
dns-server value 192.168.12.43 192.168.12.35
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal-LAN
default-domain value company.local
dynamic-access-policy-record DfltAccessPolicy
username admin password SepHHjScvkb8.RYh encrypted privilege 15
tunnel-group vpn.company.nl type remote-access
tunnel-group vpn.company.nl general-attributes
address-pool DHCP-VPN-Clients
authentication-server-group VBK-Radius
default-group-policy GroupPolicy_vpn.company.nl
tunnel-group vpn.company.nl webvpn-attributes
group-alias vpn.company.nl enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect tftp
inspect ftp
inspect skinny
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:695d22ecea89b5d93e89e56f2fdfcc5c

Flavio Miranda · ‎09-15-2017

Hello,

First thing to consider. Does 192.168.10x and 192.168.15.0 hosts know how to reply back ?

When they get the packet which the souce IP address is from somewhere else, what does they do? If they does not have a static route to this IP, they send this to default gateway. Which is the default gateway of those hosts?

Robbert Tol · ‎09-15-2017

Flavio,

I know what you mean. The default gateway at 192.168.10.x and 192.168.15.x is going to be sent to the internetgateway. This because the IP Ranges of the vpn clients are not known in the BCM Network (Company network which is build by an external company). When i used a small DHCP Range for the VPN Clients in the 192.168.12.x range, it was working. I Think i have to go back to the small 192.168.12.x range for the VPN Clients.

Flavio Miranda · ‎09-15-2017

Just I´d like to add that, it is possible to make this works. I need to make sure that thoses destination hosts reply back so that the packet gets to the ASA firewall. Same interface as the packet left.

Then, maybe some ajustments will be necessary on Firewall in terms of Access-list and then Firewall will be able to send the packet via VPN tunnel.

You know the environment better them me and is up to you to decide which alternatiy better fit fot this situation.

I´m just say the technically is possible, however, not necessarilly easier.

Robbert Tol · ‎09-15-2017

Flavio,

When an Anyconnect User logs into the ASA5512, the user gets an IP like 10.0.0.x

The mainoffice has IP 192.168.12.X. In this network, the ASA has 192.168.12.254 on the LAN interface. There is an Catalyst Switch 192.168.12.201, which has an fiber link to other Catalyst Switch 192.168.14.201. Those catalysts switches route traffic between 12.x and 14.x. The hosts in those 2 networks are reachable.

Now there is als an BCM Router 192.168.12.100, which has leased lines (based on VPN) to two branche offices. One bracheoffice is small (192.168.15x) and has only an router to the BCM Network, so that it can reach 192.168.12.x, 14.x and 10.x

The other Branche office (192.168.10.x) has also an BCM Router (192.168.10.100) and an active fiber internet access which is connected to an Zyxell Firewall (192.168.10.254)

As far is i know, the BCM Network doesn't know the VPN Anyconnect IP-Range. And from here i'm missing something ;-)