Re: ASA setup only use for AnyConnect VPN addresses

Wan_Whisperer · ‎02-22-2019

All,

I have a ASA that I have setup only to use AnyConnect. I have AnyConnect working with split tunneling.

I don't understand the pool of IP used for the vpn and how the signal flows.

My inside is 172.22.0.4 255.255.255.0

My outside is XXX.XXX.XXX.22 255.255.255.0

Would I use my inside network addresses as the pool? ie start 172.22.0.5 ending 172.22.0.10

what is the signal flow for the user?

1. AnyConnect user computer ip address is 192.168.1.2

Then it hits the AnyConnect client on the computer and its natted to and IP from the range I created above....lets say 172.22.0.5. (is that where its natted? Or is it at the ASA?)

2. IP Address is now 172.22.0.5 inside the ASA? if so how and what interface does it exit? (Im guessing it leaves the inside interface), How does it return...Does the switch create and ARP for the inside interface?

3. Then packet returns to the inside interface leaves the ASA

4. Hits the AnyConnect client then reverse NAT then user.

I can not fix my issue because I don't really understand whats happening.

Thanks!

Rahul Govindan · ‎02-22-2019

You can use any ip address for the VPN pool as long as 1) it does not conflict with any other IP addresses/subnets used in your network 2) the internal network devices can route back to the ASA to reach the VPN pool.

When a client connects to the ASA using Anyconnect, a virtual adapter is turned up on the client machine. This is what receives the ip address from the pool. The client installs a route to the virtual adapter for all the networks mentioned in the split tunnel list. So on the client side, any traffic initiated towards the split tunneled networks is sourced from the VPN pool IP assigned. Once it hits the adapter, it is encrypted and carried all the way to the ASA headend. Note that at this point, the source and destination IP headers are your clients physical IP address (assigned via wired/wireless and translated to public by your ISP) and the ASA Public ip address. Once the ASA receives and decrypts it, we have the original data packet from the VPN pool ip to the internal destination. The ASA just routes it through the correct interface (inside interface in your case). The inside host then responds back to the VPN client ip address and the same process is followed again.

Hope this answers how the setup works.

Wan_Whisperer · ‎02-25-2019

My inside is 172.22.0.4 255.255.255.0

My outside is XXX.XXX.XXX.22 255.255.255.0

My VPN pool is 10.0.1.0-25

The ASA inside and outside interface are on the same switch. Both interfaces on the switch are set up as access to their prospective vlans.

I have one static route in the ASA that points all traffic out the outside interface. 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 I do not think this is right because the traffic would never leave the out of the inside interface. (Remember I am only using this for AnyConnect, Do I need an inside and outside interface?)

So....once the packet routes from AnyConnect and then leaves the ASA for my local network is it IP address from "My VPN pool is 10.0.1.0-25"?

If that is the case the I will need a static route telling traffic headed back to the VPN to go back to the inside ASA address 10.0.1.0 255.255.255.0 172.22.0.4 is this correct?

Thanks or your input and time.

Rahul Govindan · ‎02-25-2019

If you have just one network behind the inside interface, (which is the same subnet as the inside interface), then you do not need to add a route. If you look at the routing table on the ASA (show route), you should see a connected route for the inside subnet. This should allow Anyconnect clients to go out via the inside interface to hit inside hosts. IF you have more than 1 network behind the ASA, you would need to add a route on the ASA that points to the next hop.

Are your VPN users sitting on the inside or outside? Share your ASA config if you can.