01-11-2019 09:30 AM - edited 02-21-2020 09:32 PM
I have a network environment consisting of 8 Cisco ASA5506 appliances. The main office serves as the hub, and the 7 satellite offices are connected to this main office by site-to-site IPSec tunnels. The main office provides all Active Directory, file, and print services to the network, so all of the client server infrastructure is at the main office.
We use Anyconnect for remote workers to connect to the main office for access to file shares and other network resources. This VPN access has been performing flawlessly, with users accessing network resources at the main office and with split-tunneling configured also have Internet access during VPN sessions.
A recent change is requiring some Anyconnect users to access resources now located at one of the satellite offices. This was not previously a requirement or ever tested, so I believe the function/capability was never working for Anyconnect users; and when Anyconnect users are connected to the VPN, they are unable to PING IP/name or map to resources at the satellite offices. However, users physically at the main office are able to access resources at any of the satellite offices without issue.
Main office subnet = 192.168.10.0/24
Anyconnect IP Assignments = group of IP's assigned by the ASA at connect, 192.168.10.200 - 210
Satellite Offices = 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, etc...
Since the Anyconnect client is receiving an IP that matches the main office subnet, I'm not seeing how these vpn clients are prohibited or restricted from accessing satellite (remote) office resources. I am happy to provide further information or details as needed.
01-11-2019 09:37 AM
01-11-2019 10:01 AM
I believe your statement "AC VPN traffic back out the same interface over a Site to Site VPN" is true, and I have not applied any additional commands beyond the setups of the IPSec tunnels and Anyconnect profile.
Would I run the "same-security-traffic permit intra-interface" command from the CLI in ASDM? I searched the running config, but don't see the "intra-interface" defined.
01-11-2019 10:05 AM
01-11-2019 10:17 AM
would it not need a command same-security-traffic permit inter-interface as other command is for anyconnect
01-11-2019 10:26 AM
"Inter" is between two different interfaces with same security level.
"Intra" is used during hairpining, traffic routed back through the outside interface.
Reference here
Quote - "One thing he mentioned and I forgot is the same-security-traffic permit intra-interface to allow U-turn."
01-11-2019 10:27 AM
cheers appreciated
01-11-2019 10:32 AM
01-11-2019 10:36 AM - edited 01-11-2019 10:46 AM
f you have anyconnect client than and you running this command
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
!
i am curious could we use any here instead of inside and to test it
nat (any,outside) source static any any destin static NETWORK_OB_192.168.108_24 NETWORK_OB_192.168.108_24 no-proxy -arp route-lookup |where 192.168.108/24 is my anyconnect pool.
nat (any,outside) source static any any destin static XXXX XXXX no-proxy -arp route-lookup
01-11-2019 11:29 AM
My Client Address Pool is labeled VPN_Pool, so would I use the following syntax for the command:
nat (any,outside) source static any any destin static VPN_Pool VPN_Pool no-proxy -arp route-lookup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide