Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
936
Views
5
Helpful
2
Replies

AnyConnect VPN Client Routing to Remote VTIs

jburgod-eg
Level 1
Level 1

‎11-19-2018 04:44 PM - edited ‎02-21-2020 09:30 PM

We recently transitioned all of our policy-based site-2-site VPNs over to route-based VPNs using VTIs.  The new VTI configuration for site-2-site VPNS works so slick.  However, we can't get the AnyConnect VPN clients access to the downstream locations with this new configuration.

 

We have a hub-n-spoke site-2-site VPN design with 1 central office and about 20 remote sites.  The AnyConnect clients terminate on the central office ASA.  The site-2-site VPNs work great and routing between them works.  The AnyConnect VPN clients can connect and access resources local to the central office, but cannot access anything over the site-2-site VPNs.

 

After hours of searching and head scratching we still cannot get it to work.  The most promising resource we found was this community post, which describes the configuration for policy-based VPNs.  Unfortunately, we still haven't been able to get it working.

 

Since there are no crypto-maps, access-lists and NAT statements for VTIs, the relevant central ASA VPN config is best represented as:

 

## Site-to-Site Tunnel Config
interface Tunnel1
 nameif Site-to-Site-VPN
 ip address 169.254.225.1 255.255.255.252 
 tunnel source interface outside
 tunnel destination 111.111.111.111
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile Site-to-Site-VPN-Profile

route Site-to-Site-VPN 192.168.2.0 255.255.255.0 169.254.225.2 1

crypto ipsec ikev2 ipsec-proposal L2L-VPN-AES-GCM-256
 protocol esp encryption aes-gcm-256
 protocol esp integrity null
crypto ipsec profile Site-to-Site-VPN-Profile
 set ikev2 ipsec-proposal L2L-VPN-AES-GCM-256
 set pfs group24
 set security-association lifetime seconds 28800

crypto ikev2 policy 1
 encryption aes-gcm-256
 integrity null
 group 24
 prf sha512
 lifetime seconds 28800

group-policy Site-to-Site-VPN-Policy internal
group-policy Site-to-Site-VPN-Policy attributes
 vpn-tunnel-protocol ikev2 

tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 general-attributes
 default-group-policy Site-to-Site-VPN-Policy
tunnel-group 111.111.111.111 ipsec-attributes
 isakmp keepalive threshold 60 retry 5
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

## AnyConnect VPN Config
object network Office-Network
 subnet 192.168.1.0 255.255.255.0
object network Remote-Office-Network
 subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_25
 subnet 192.168.100.0 255.255.255.128

access-list AnyConnect_Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list AnyConnect_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0

nat (outside,inside) source static NETWORK_OBJ_192.168.100.0_25 NETWORK_OBJ_192.168.100.0_25 destination static Office-Network Office-Network no-proxy-arp route-lookup
nat (outside,outside) source static NETWORK_OBJ_192.168.100.0_25 NETWORK_OBJ_192.168.100.0_25 destination static Remote-Office-Network Remote-Office-Network no-proxy-arp route-lookup

group-policy RemoteUserVPN-Policy internal
group-policy RemoteUserVPN-Policy attributes
 wins-server none
 dns-server value 192.168.1.10 192.168.1.11
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value AnyConnect_Split_Tunnel_List
 default-domain value abc.com
 split-tunnel-all-dns disable

tunnel-group RemoteUserVPN type remote-access
tunnel-group RemoteUserVPN general-attributes
 address-pool VPNUser-Pool
 authentication-server-group AD-LDAP
 default-group-policy RemoteUserVPN-Policy
 password-management

same-security-traffic permit intra-interface

I've summarized and generalized as much as I could, but hopefully it still provides enough information for someone to help diagnose the issue.

 

Any help is greatly appreciated!

Labels:
0 Helpful
2 Replies 2

jburgod-eg
Level 1
Level 1

‎11-19-2018 05:03 PM

15 mins after posting this, I finally figured out the issue.  It didn't have anything to do with the either VPN configuration, but rather our default NAT statement.  It was too broad.  Focusing the NAT statement to only the local network and inside interface resolved the routing issues.

 

Unfortunately, I could not find a way to delete my post.

mhrastinski
Level 1
Level 1
In response to jburgod-eg

‎04-12-2022 09:00 PM

My last NAT statement was Any Outside. Changing it to Inside Outside Fixed the issue. 

0 Helpful
Customers Also Viewed These Support Documents