01-04-2019 12:50 PM
Company name: ABC123
IP addresses = Not real
This is for a ASA firewall at our branch location. They primarily used 10.x addresses internally and also for AnyConnect VPN clients.
The other ABC123 offices use 100.x addressing for internal use.
Due to recent network changes, new 100.x subnets have been added to this branch location.
The 100.x was not able to browse Internet since there was no PAT statement in the ASA.
So I added this statement:
object network hundred-Net
subnet 100.0.0.0 255.0.0.0
nat (INSIDE,OUTSIDE) dynamic interface
After that 100.x servers were able to access Internet but I later found out that 10.x AnyConnect users are not able to access the internal websites at other locations that are 100.x.
I removed the previous change and now AC users are good but the old issue is back.
Later I have added specific PAT statements with only the 100.x nets that are part of this office:
object network branch_100.190.0.0_15
subnet 100.190.0.0 255.254.0.0
nat (INSIDE,OUTSIDE) dynamic interface
object network branch_100.196.0.0_14
subnet 100.196.0.0 255.252.0.0
nat (INSIDE,OUTSIDE) dynamic interface
This does not break anything.
I would like to know why the initial change breaks the VPN user access to 100.x addresses.
01-05-2019 05:37 AM
Normally we would expect the remote access VPN users' access to non-local sites to be covered by a "nat (outside,outside)" type statement. So it is indeed a bit surprising that the 100/8 being used for a "nat (inside,outside)" statement broke their access.
If could be an interaction with the routing on the ASA. If you had a "route-lookup" statement at the end of the NAT statement that is used by the AnyConnect users that might fix the original issue.
01-05-2019 10:46 AM
Thank you for the reply.
I have a case opened with Cisco support but no replies so far.
Question: I was reading somewhere that it is not recommended to have the AnyConnect users DHCP range same as internal IP range. In my case the DHCP range for the AC users is: 10.44.0.0/23 and the internal network as defined on the ASA is 10.44.0.0/16. Not sure why this can cause an issue with access to 100.x addresses?
01-05-2019 01:44 PM
Hi. i guess its not a best practice to use internal subnet for anyconnect. but there is no harm to use if its a requirement where the company does not want to add another subnet into a production network.
found a good link might it help you to better understand what you gone through.
https://www.dentonsolutions.com/2018/06/06/cisco-anyconnect-vpn-clients-sharing-lan-ip-address-pool/
01-16-2019 11:42 AM
Thank you for the replies, this issue is now resolved.
The return traffic was not routed properly. So we end up adding a no-nat statement, saying do not translate the VPN clients for the 100.xx addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide