Anyconnect VPN no ping

sahara101 · ‎07-15-2021

Hello,

it seems I am really no friend with Anyconnect VPNs.

I have a MPLS connection between two data centers and need to also create an anyconnect connection on Site B.

I can ping Internet and I can ping the Firewall IP, but that is it.

Anyconnect Pool is 10.50.0.x

Split Tunnel is made for 10.0.0.0/24

I am trying to ping for example 10.0.0.100, or 10.10.0.100 but the ping does not go through.

Can you please help me with teh right config?

Thanks!

Rob Ingram · ‎07-15-2021

@sahara101

You probably need a NAT exemption rule, to ensure traffic is not unintentially natted.

object network LAN
 subnet 10.0.0.0 255.255.255.0
object network RAVPN
 subnet 10.50.0.0 255.255.255.0
!nat (INSIDE,OUTSIDE) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp

You'd not be able to ping 10.10.0.100 as it's not defined in your split tunnel ACL, 10.0.0.0/24 - or is it a /8 instead of a /24?

sahara101 · ‎07-15-2021

Ah yes, forgot about the subnet. I change it to 8, but still no ping.

ASA(config)# no pager lines 

ASA(config)# sh run
: Saved

: 

hostname ASA
domain-name xx
enable password $sha512$5000$ybm4L5XJspfbEvMzRaA54w==$emg2j84pjYWTGi3+5Ib3AA== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool VPN_POOL 10.50.0.100-10.50.0.105 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address externalP 255.255.255.252 
!
interface GigabitEthernet1/2
 nameif Inside
 security-level 100
 ip address 10.0.0.75 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 0
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xx.com
object network INSIDE
 subnet 10.0.0.0 255.255.255.0
object network VPN_POOL
 subnet 10.21.0.0 255.255.255.0
object network VPN_POOL50
 subnet 10.50.0.0 255.255.255.0
object network Inside
 subnet 10.0.0.0 255.255.255.0
object network LAN
 subnet 10.0.0.0 255.0.0.0
object network RAVPN
 subnet 10.50.0.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 10.0.0.0 255.0.0.0 
access-list Inside extended permit ip any any 
access-list outside_access_in extended permit ip any any 
access-list Inside_access_in extended permit ip any any 
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-771-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,outside) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp route-lookup
!
object network Inside
 nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
route outside 0.0.0.0 0.0.0.0 externalIP 1
route Inside 10.10.0.0 255.255.255.0 10.0.0.2 1
route outside 10.10.0.0 255.255.255.0 externalIP 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 10.10.0.0 255.255.255.0 Inside
http redirect outside 80
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint xxCrt
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=10.0.0.75,CN=BerASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate feb82c60
    308202c6 308201ae a0030201 020204fe b82c6030 0d06092a 864886f7 0d01010b 
    05003025 310f300d 06035504 03130642 65724153 41311230 10060355 04031309 
    31302e30 2e302e37 35301e17 0d323130 32323430 38333530 365a170d 33313032 
    32323038 33353036 5a302531 0f300d06 03550403 13064265 72415341 31123010 
    06035504 03130931 302e302e 302e3735 30820122 300d0609 2a864886 f70d0101 
    01050003 82010f00 3082010a 02820101 00e4826c b67a202f 087b8491 99ce0999 
    b29934aa cc6c2689 90d8135d 66371389 2f82d268 2bf645f1 35d9d4b0 bc0e69e5 
    99bc3146 b7e7c07b 4357e193 42de8a96 0f3c75a6 128d08b9 2fbe5166 a81521cb 
    7773d8f1 53b054d8 4507aba3 fe00e4b8 f03d8a82 92c06a58 8dbfd1cd b01b504b 
    f7c4acfd 289f9fc1 985f4729 5afac24c 3461fc1f 86348c55 f06c2a0d f811e834 
    a7ced365 91bd8a96 a94d4123 bd6efce8 6e914274 7c453824 a6817917 9eaafe8e 
    f06a2f46 82d8e039 fc23fae9 c57070e4 e4fd4c23 8da25d27 95bdb22b cd3d63e8 
    1c014db1 a396b676 f65c3908 fa62d9e5 7217eb2e 0b40b419 b879ba4f 2d18ddc6 
    77be307f f2aa6f05 6b3ac471 6a42ef52 71020301 0001300d 06092a86 4886f70d 
    01010b05 00038201 01001bcb 0c37129b 080a720d f1ca79a3 d3330c37 c5804608 
    65edc5a3 5986a232 c22ce76a a4889112 e03591ad 692eddcc c621bf5f 5b793ea4 
    e7cb7981 48f0e759 4bd477aa 694c2498 95dabfa0 2288858a b30bc4dd a868a3a2 
    751b632e fa958e57 56b4facc cfbbacfd 017c2f57 43d4148b e3f17900 e274003b 
    c4e9f1dd 99528851 839986db f24ddf3e d279932c eb03885e 669b6d59 891a3a08 
    1726e1e6 c1250d24 1af38158 ca2c698c 07ff8c5f 3e6a1d49 82b0125a ccd38d4c 
    7dd80b56 3feda01f 6036c2be da8d8b67 89963616 fc21d483 b4ae1d0e f7b7bdfc 
    8aa320a0 92af74c3 5ad9a0f5 278c1377 e6349ce1 219a9b35 787de671 ddb08330 
    c42a81e4 7c80e0c3 ebb1
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh 10.50.0.0 255.255.255.0 outside
ssh 10.0.0.0 255.255.255.0 Inside
ssh 0.0.0.0 0.0.0.0 Inside
ssh 10.50.0.0 255.255.255.0 Inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside
vpn-sessiondb max-other-vpn-limit 2
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 4

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Inside vpnlb-ip
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
 webvpn
  anyconnect keep-installer installed
  anyconnect dpd-interval client 30
  anyconnect ask none default anyconnect
group-policy ANNYCONNECT_POLICY internal
group-policy ANNYCONNECT_POLICY attributes
 split-tunnel-network-list value SPLIT_TUNNEL
dynamic-access-policy-record DfltAccessPolicy
username USER password $sha512$5000$jgFRJ3PAV7fc72uyQ/E8kA==$FV6X0fYvkaKq7j56w59huA== pbkdf2
username USER attributes
 service-type remote-access
username root password $sha512$5000$Q2gyZdajzmdHYDnVJnQorQ==$E3wiFb6unorX++q4qrQ88Q== pbkdf2
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_POOL
 default-group-policy ANYCONNECT_POLICY
tunnel-group VPN webvpn-attributes
 group-alias ALIAS enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect icmp 
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ebb101f812263cd064e0750e8e260139
: end

On the other side, just for this test I let any any ACL and NAT is

nat(inside,outside) source static any any destination RAVPN RAVPN no-proxy-arp route-lookup

Thanks!

Rob Ingram · ‎07-15-2021

@sahara101

Is this traffic hairpinning on the ASA with AnyConnect configured? If so you'll need the command - "same-security-traffic permit intra-interface" to permit this.

Run packet-tracer from the CLI to simulate the traffic flow, provide the output for review.

sahara101 · ‎07-15-2021

Hi,

I noticed that the internet was not working on the devices from Site B. I changed the default gateway from the Switch on Site A to the IP of the Firewall 10.0.0.75 (Site B) and now the ping is working over VPN at least to devices on site B. Ones in Site A not.

Ping from outside IP VPN to IP Site A

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.189 using egress ifc  Inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,outside) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Inside
Untranslate 10.0.0.189/0 to 10.0.0.189/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,outside) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp route-lookup
Additional Information:
Static translate 10.50.0.100/0 to 10.50.0.100/0

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Same error with ping outside VPN to IP Site B, but as stated abobe ing is working after change of default gateway.

LE: Of course, now I cannot reach the devices over MPLS from 10.10. anymore because I changed the gateway...

Thank you!