02-05-2021 09:47 PM
Hey all,
I'm trying to get hair pinning to work with a full tunnel so I can do some testing. I want to be able to bring up a full tunnel via Anyconnect to the ASA and surf the internet via that tunnel... I've tried everything I can find and simply can't seem to get this to work. Relevant config:
: Hardware: ASAv, 4096 MB RAM, CPU Xeon E5 series 2900 MHz, 1 CPU (2 cores)
:
ASA Version 9.13(1)7
!
ip local pool VPN_range 192.168.4.1-192.168.4.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
dhcp client route distance 2
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address dhcp setroute
!
interface Management0/0
no management-only
nameif management
security-level 100
ip address dhcp setroute
!
same-security-traffic permit intra-interface
object network vpn-pool
range 192.168.4.1 192.168.4.254
description VPN Pool
access-list 101 extended permit ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list outside_access_out extended permit ip any any
pager lines 23
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (outside,outside) source dynamic vpn-pool interface
nat (outside,inside) source static vpn-pool vpn-pool
access-group 101 in interface outside
access-group outside_access_out out interface outside
access-group 101 in interface inside
Let me know if I've missed something relevant and I'll post...thanks in advance for any help!
Solved! Go to Solution.
02-07-2021 10:52 AM - edited 02-07-2021 11:37 AM
Looking into the issue we apply a fix by adding a Nat rule for management.
nat (management,management) dynamic interface
this above command fix the issue for the full tunnel anyconnect.
hope this will help others with similar issues.
02-06-2021 02:18 AM
can you try this.
!
object network vpn-pool
no range 192.168.4.1 192.168.4.254
subnet 192.168.4.0 255.255.255.0
!
nat (outside,outside) source dynamic vpn-pool interface
nat (inside,outside) source dynamic interface
no nat (outside,inside) source static vpn-pool vpn-pool
!
02-06-2021 06:43 AM
Hey Sheraz.Salim, thanks for quick reply! I've put most of it in place, but the command:
nat (inside,outside) source dynamic interface
is incomplete and I didn't want to assume, since I couldn't figure it out before. The output I see is:
ciscoasa(config)# nat (inside,outside) source dynamic interface
ERROR: % Incomplete command
The options I have are:
ciscoasa(config)# nat (inside,outside) source dynamic interface ?
configure mode commands/options:
WORD Specify object or object-group name for mapped source
interface Specify interface NAT
pat-pool Specify object or object-group name for mapped source pat pool
I can't believe I'm having this much trouble with this...I'm hoping it doesn't come down to something with AWS...thanks so much for your help!
02-06-2021 07:54 AM
I am sorry typo error.
try this "nat (inside,outside) dynamic interface"
Regards
sheraz
02-06-2021 08:04 AM
No go...here's the output:
ciscoasa(config)# nat (inside,outside) dynamic interface
ERROR: % Invalid input detected at '^' marker. ( '^' was at the "d" in "dynamic")
ciscoasa(config)# nat (inside,outside) ?
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
Thanks again!!!
02-06-2021 08:41 AM - edited 02-06-2021 09:32 AM
object network vpn-pool
no range 192.168.4.1 192.168.4.254
subnet 192.168.4.0 255.255.255.0
nat (inside,outside) dynamic interface
!
you need to put above nat rule in section 2. Just do copy
paste and test it.
also could you show tunnel-group configuration and group-policy configuration too.
02-06-2021 12:07 PM
This time, no errors...config took...but still can't surf the net through a full tunnel. UGH!!! I'll message you with the full config (minus anything sensitive) if you'd like to take a look, and again, thanks for all the help!!
02-06-2021 01:41 PM - edited 02-06-2021 02:01 PM
Try the below config and let us know how it works.
group-policy FullTunnel internal
group-policy FullTunnel attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ssl-client ikev2
split-tunnel-policy tunnelall
!
tunnel-group FullTunnel type remote-access
tunnel-group FullTunnel general-attributes
address-pool VPN_range
!
tunnel-group FullTunnel webvpn-attributes
group-alias FullTunnel enable
authentication aaa
!
username test password xxxxxx
!
same-security-traffic permit intra-interface
!
object network vpn-pool
subnet 192.168.4.0 255.255.255.0
description VPN Pool
nat (outside,outside) dynamic interface
02-07-2021 10:52 AM - edited 02-07-2021 11:37 AM
Looking into the issue we apply a fix by adding a Nat rule for management.
nat (management,management) dynamic interface
this above command fix the issue for the full tunnel anyconnect.
hope this will help others with similar issues.
02-07-2021 02:51 PM
Sheraz, thanks so much for your help...incredible kindness and helpfulness...if things ever get back to normal and I find myself in your neck of the woods, dinner's on me!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide