10-26-2016 12:41 PM
Hello Everyone,
A have an ASA running anyconnect and s2s tunnels.
Aim: enable anyconnect users to access resources over ipsec tunnel.
Problem: anyconnect users and s2s tunnels are using the same outside interface.
Applied configuration:
1. enabled same-security-traffic permit intra-interface
2. configured policy map to bypass tcp connections on the outside interface
But these steps did not help. RA users are not able to reach s2s subnet.
Please advise how to achieve this aim.
Thank you in advance
Alex
Solved! Go to Solution.
10-26-2016 01:13 PM
You should not need the bypass policy map.
You will need a NAT exemption for the VPN pool to the remote subnet(s). Ethan Banks has a nice article on exactly this configuration here:
http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/
10-27-2016 05:42 AM
Have you exempted traffic sourced from the remote (server) subnet from NAT when destination is the address pool used by the remote access VPN clients?
Also, you should have icmp inspection enabled at both ends.
10-26-2016 01:13 PM
You should not need the bypass policy map.
You will need a NAT exemption for the VPN pool to the remote subnet(s). Ethan Banks has a nice article on exactly this configuration here:
http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/
10-26-2016 11:17 PM
Hi Marvin,
Thanks for the link.
I removed policy map and added nat rule, but AC client still cannot reach a server behind the ipsec tunnel.
Additional information:
- According to the wireshark dump on the server, it is sending icmp replies back to the AC client.
- Captured ESP traffic on ASA outside interface. Was able to see other site sending ESP replies.
- The funnies part: I am able to ping AC client from a server behind the ipsec tunnel, but when trying from AC to a server a get the following error:
Error Message: %ASA-4-313004:Denied ICMP type= icmp_type, from source_address on interface interface_name to dest_address :no matching session
Explanation: ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the ASA or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the ASA.
Please advice what i am missing. I am out of thoughts.
Thank you
Alex
10-27-2016 05:42 AM
Have you exempted traffic sourced from the remote (server) subnet from NAT when destination is the address pool used by the remote access VPN clients?
Also, you should have icmp inspection enabled at both ends.
10-28-2016 02:08 AM
Hello Marvin,
Thanks for your help! Got it working somehow.
The bottom line is that:
1. intra-interface is needed
2. tcp bypass not needed
3. double-check NAT settings.
10-28-2016 06:16 AM
You're welcome. Thanks for letting us know the solution worked for you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide