Solved: Anyconnect works at main location and for internet but not across the WAN

BRAD VAUGHN · ‎07-01-2016

I have an asa 5525 firewall running an Anyconnect VPN. I have three sites and this will be the access point for all. There is an mpls wan between the sites. The Anyconnect IP pool is 192.168.165.x 255.255.255.0. In the main site, the local IPs are 172.17.x.x 255.255.0.0 and a legacy 192.168.10.x 255.255.255.0. The distant sites are 192.168.20.x 255.255.255.0 and 192.168.30.x 255.255.255.0.

From a PC in my local LAN I can reach all four of the ranges and ping, tracert and access servers by name or number. When connected to the the anyconnect, I can only access the 172.17.x.x and 192.168.10.x. We are set up to do full tunnel through the VPN if that matters. I tried adding routes at the routers on each side of the WAN to point 192.168.165.x traffic back towards the firewall's inside address based on a tip I read on the board here, but that didn't help. Any ideas where I need to look next?

Thanks for your help,

Brad

Philip D'Ath · ‎07-01-2016

Cant he ASA itself ping devices at all remote sites?

Have you got NAT rules in place to example all traffic to the VPN range?

View solution in original post

Philip D'Ath · ‎07-05-2016

Do your remote sites and WAN have a default route pointing back to the ASA? If not, do they have a route for the AnyConnect VPN pool range?

Probably need to see your config to help much more.

View solution in original post

Philip D'Ath · ‎07-01-2016

Cant he ASA itself ping devices at all remote sites?

Have you got NAT rules in place to example all traffic to the VPN range?

BRAD VAUGHN · ‎07-05-2016

I tried this today. Using putty it cannot ping to the sites across the WAN, but can ping in this office. I then did a traceroute, and it is immediately going to the 0.0.0.0 route which the the internet providers router. The traceroute goes to the internal gateway as it should for both 172.17.x.x 255.255.0.0 and 192.168.10.x 255.255.255.0 so I added a static route to 192.168.20.x 255.255.255.0 and I can now trace route and ping from the ASA. I then went back to my vpn client and still no response.

I think your idea set me on the right path, but I think it is still one step away from done. What NAT rule are you suggesting in the second part of your answer?

Thanks so much for your help, I can almost see this thing working.

Philip D'Ath · ‎07-05-2016

Do your remote sites and WAN have a default route pointing back to the ASA? If not, do they have a route for the AnyConnect VPN pool range?

Probably need to see your config to help much more.

BRAD VAUGHN · ‎07-07-2016

It turned out that your suggestion was correct, but the problem was outside my control. In case someone else is in a similar situation, this is the problem. In some cases the MPLS provider has to allow packets destined for a different WAN site to flow through them based on allowed IPs. They don't have a route mapped from what I can tell, but rather they have allowable IP ranges listed. Based on your suggestion I remembered years ago I had to let them know when I added a special subnet for a particular project we had going on. I sent the VPN range to my provider and between your suggestion of the static route and the provider allowing the number range, it works!

Thanks so much for all your help,

Brad Vaughn