07-15-2021 12:36 AM
Hello,
it seems I am really no friend with Anyconnect VPNs.
I have a MPLS connection between two data centers and need to also create an anyconnect connection on Site B.
I can ping Internet and I can ping the Firewall IP, but that is it.
Anyconnect Pool is 10.50.0.x
Split Tunnel is made for 10.0.0.0/24
I am trying to ping for example 10.0.0.100, or 10.10.0.100 but the ping does not go through.
Can you please help me with teh right config?
Thanks!
07-15-2021 12:43 AM
You probably need a NAT exemption rule, to ensure traffic is not unintentially natted.
object network LAN
subnet 10.0.0.0 255.255.255.0
object network RAVPN
subnet 10.50.0.0 255.255.255.0
!nat (INSIDE,OUTSIDE) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp
You'd not be able to ping 10.10.0.100 as it's not defined in your split tunnel ACL, 10.0.0.0/24 - or is it a /8 instead of a /24?
07-15-2021 01:16 AM - edited 07-15-2021 01:16 AM
Ah yes, forgot about the subnet. I change it to 8, but still no ping.
ASA(config)# no pager lines ASA(config)# sh run : Saved : hostname ASA domain-name xx enable password $sha512$5000$ybm4L5XJspfbEvMzRaA54w==$emg2j84pjYWTGi3+5Ib3AA== pbkdf2 xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ip local pool VPN_POOL 10.50.0.100-10.50.0.105 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address externalP 255.255.255.252 ! interface GigabitEthernet1/2 nameif Inside security-level 100 ip address 10.0.0.75 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif management security-level 0 no ip address ! ftp mode passive dns server-group DefaultDNS domain-name xx.com object network INSIDE subnet 10.0.0.0 255.255.255.0 object network VPN_POOL subnet 10.21.0.0 255.255.255.0 object network VPN_POOL50 subnet 10.50.0.0 255.255.255.0 object network Inside subnet 10.0.0.0 255.255.255.0 object network LAN subnet 10.0.0.0 255.0.0.0 object network RAVPN subnet 10.50.0.0 255.255.255.0 access-list SPLIT_TUNNEL standard permit 10.0.0.0 255.0.0.0 access-list Inside extended permit ip any any access-list outside_access_in extended permit ip any any access-list Inside_access_in extended permit ip any any no pager logging enable logging asdm informational mtu outside 1500 mtu Inside 1500 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-771-151.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (Inside,outside) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp route-lookup ! object network Inside nat (any,outside) dynamic interface access-group outside_access_in in interface outside access-group Inside_access_in in interface Inside route outside 0.0.0.0 0.0.0.0 externalIP 1 route Inside 10.10.0.0 255.255.255.0 10.0.0.2 1 route outside 10.10.0.0 255.255.255.0 externalIP 2 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 10.10.0.0 255.255.255.0 Inside http redirect outside 80 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint xxCrt crl configure crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=10.0.0.75,CN=BerASA keypair ASDM_LAUNCHER crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0 certificate feb82c60 308202c6 308201ae a0030201 020204fe b82c6030 0d06092a 864886f7 0d01010b 05003025 310f300d 06035504 03130642 65724153 41311230 10060355 04031309 31302e30 2e302e37 35301e17 0d323130 32323430 38333530 365a170d 33313032 32323038 33353036 5a302531 0f300d06 03550403 13064265 72415341 31123010 06035504 03130931 302e302e 302e3735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00e4826c b67a202f 087b8491 99ce0999 b29934aa cc6c2689 90d8135d 66371389 2f82d268 2bf645f1 35d9d4b0 bc0e69e5 99bc3146 b7e7c07b 4357e193 42de8a96 0f3c75a6 128d08b9 2fbe5166 a81521cb 7773d8f1 53b054d8 4507aba3 fe00e4b8 f03d8a82 92c06a58 8dbfd1cd b01b504b f7c4acfd 289f9fc1 985f4729 5afac24c 3461fc1f 86348c55 f06c2a0d f811e834 a7ced365 91bd8a96 a94d4123 bd6efce8 6e914274 7c453824 a6817917 9eaafe8e f06a2f46 82d8e039 fc23fae9 c57070e4 e4fd4c23 8da25d27 95bdb22b cd3d63e8 1c014db1 a396b676 f65c3908 fa62d9e5 7217eb2e 0b40b419 b879ba4f 2d18ddc6 77be307f f2aa6f05 6b3ac471 6a42ef52 71020301 0001300d 06092a86 4886f70d 01010b05 00038201 01001bcb 0c37129b 080a720d f1ca79a3 d3330c37 c5804608 65edc5a3 5986a232 c22ce76a a4889112 e03591ad 692eddcc c621bf5f 5b793ea4 e7cb7981 48f0e759 4bd477aa 694c2498 95dabfa0 2288858a b30bc4dd a868a3a2 751b632e fa958e57 56b4facc cfbbacfd 017c2f57 43d4148b e3f17900 e274003b c4e9f1dd 99528851 839986db f24ddf3e d279932c eb03885e 669b6d59 891a3a08 1726e1e6 c1250d24 1af38158 ca2c698c 07ff8c5f 3e6a1d49 82b0125a ccd38d4c 7dd80b56 3feda01f 6036c2be da8d8b67 89963616 fc21d483 b4ae1d0e f7b7bdfc 8aa320a0 92af74c3 5ad9a0f5 278c1377 e6349ce1 219a9b35 787de671 ddb08330 c42a81e4 7c80e0c3 ebb1 quit telnet timeout 5 ssh stricthostkeycheck ssh 10.50.0.0 255.255.255.0 outside ssh 10.0.0.0 255.255.255.0 Inside ssh 0.0.0.0 0.0.0.0 Inside ssh 10.50.0.0 255.255.255.0 Inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access Inside vpn-sessiondb max-other-vpn-limit 2 vpn-sessiondb max-anyconnect-premium-or-essentials-limit 4 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Inside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Inside vpnlb-ip webvpn enable outside anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1 anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy ANYCONNECT_POLICY internal group-policy ANYCONNECT_POLICY attributes dns-server value 4.2.2.2 vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL webvpn anyconnect keep-installer installed anyconnect dpd-interval client 30 anyconnect ask none default anyconnect group-policy ANNYCONNECT_POLICY internal group-policy ANNYCONNECT_POLICY attributes split-tunnel-network-list value SPLIT_TUNNEL dynamic-access-policy-record DfltAccessPolicy username USER password $sha512$5000$jgFRJ3PAV7fc72uyQ/E8kA==$FV6X0fYvkaKq7j56w59huA== pbkdf2 username USER attributes service-type remote-access username root password $sha512$5000$Q2gyZdajzmdHYDnVJnQorQ==$E3wiFb6unorX++q4qrQ88Q== pbkdf2 tunnel-group VPN type remote-access tunnel-group VPN general-attributes address-pool VPN_POOL default-group-policy ANYCONNECT_POLICY tunnel-group VPN webvpn-attributes group-alias ALIAS enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map inspect icmp policy-map type inspect dns migrated_dns_map_2 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:ebb101f812263cd064e0750e8e260139 : end
On the other side, just for this test I let any any ACL and NAT is
nat(inside,outside) source static any any destination RAVPN RAVPN no-proxy-arp route-lookup
Thanks!
07-15-2021 01:58 AM
Is this traffic hairpinning on the ASA with AnyConnect configured? If so you'll need the command - "same-security-traffic permit intra-interface" to permit this.
Run packet-tracer from the CLI to simulate the traffic flow, provide the output for review.
07-15-2021 03:23 AM - edited 07-15-2021 04:02 AM
Hi,
I noticed that the internet was not working on the devices from Site B. I changed the default gateway from the Switch on Site A to the IP of the Firewall 10.0.0.75 (Site B) and now the ping is working over VPN at least to devices on site B. Ones in Site A not.
Ping from outside IP VPN to IP Site A
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.189 using egress ifc Inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,outside) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Inside
Untranslate 10.0.0.189/0 to 10.0.0.189/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,outside) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp route-lookup
Additional Information:
Static translate 10.50.0.100/0 to 10.50.0.100/0
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Same error with ping outside VPN to IP Site B, but as stated abobe ing is working after change of default gateway.
LE: Of course, now I cannot reach the devices over MPLS from 10.10. anymore because I changed the gateway...
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide