04-28-2010 09:34 AM
Hello Cisco,
I have a design question in building a VPN Cluster using Anyconnect.
I have a customer that wants to map 4 groups to a corresponding VLAN.
For example:
employee - Vlan 94
Admin - Vlan 95
IT - Vlan 96
etc....
Each Vlan has a specific pool configured, and on the switch side, there is a Vlan interface that is configured as the DG for that subnet.
Now this appears to work just fine from a mapping perspective, however, the question becomes routing. I've noted that there have been others that have run into this issue where the "route <interface> 0 0 tunneled" provides a tunnel default gateway for newly unencrypted traffic "globally"... meaning that you can set a DG for the VPN clients as a whole, however this option doesn't work when these clients groups are mapped to specific VLANs.
So the bottom line question is: Does VLAN Mapping as a limitation only allow access to the local subnet where the user is assigned based on his group configuration, and there is no way to allow them to route off that particular subnet using the the DG for that subnet?
Thanks.
Steve
08-01-2012 05:36 AM
Hi Axel,
Please collect the "debug ldap 255" and the "debug aaa common 255" during a connection attempt.
Also attach the "show run tunnel-group", "show run group-policy", "show run aaa-server" and "show run ldap-attribute-map".
Let us know:
username:
tunnel-group:
Thanks.
08-01-2012 09:12 AM
Attached is Config and Log.
I do have a TAC Case concerning this problem by now as well (622633357), createde from Discussion https://supportforums.cisco.com/thread/2163198?tstart=0 - thought it fits better in a seperate discussion.
just so you won't do work twice.
Thanks so far,
Axel
07-30-2012 08:43 AM
Or you can use DAP as well...
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
04-14-2020 09:45 AM
Hi Gustavo,
thanks for this post. This helped us in one use case as customer required a different default gateway for a specific VPN Group (due to the outbreak, most of the user works remotely). So Anyconnect goes full-tunnel but their default gateway is the one defined in the ASA for that specific DMZ. This means Anyconnect browse internet via that DMZ (this is not U-turn or hair pinning). So requirements are as you say:
1.-VLAN Restriction (in ASDM. Via CLI is a VLAN tied to the group-policy)
2.-Enter a default route via that DMZ with higher metric. Note: will not appear in the ASA routing table but will work just for that VPN Group with the VLAN restriction. All flows goes thru that VLAN and its specific default gateway.
Thanks!
04-20-2014 05:20 AM
Hi!
I think I'm in a pretty similar problem right now.
The only difference being the ASA itself serves as a default gateway for all the VLANs/subnets that I need to route to..
I have an outside interface and then a couple of inside ones (subinterfaces for each vlan)
However I still get this when I'm trying to connect to VLAN101 host from VLAN102 - that is a VPN client and therefore is coming from the outside interface:
Routing failed to locate next hop for TCP from outside:<internal vlan ip from VLAN102>/60093 to vlan101:<internal vlan ip from VLAN101>/443
And while trying to set a default gateway as you said (with higher metric than the default gateway that I normally have) I get this error:
Invalid next hop address, it belongs to one of our interfaces
Am I being stupid with my configuration or am I screwed?
Thanks!
04-20-2014 10:11 AM
Hello Lukas,
Can you share your current running configuration as well as your "sh route"?
-Gustavo
04-22-2014 08:11 AM
Hello Gustavo,
thanks for taking time to reply :-)
I'm attaching both the current config and routes - I've deleted some stuff of running config (but only the irrelevant stuff like other non-affected interfaces and CA and certificates and stuff that only takes place and bothers).
Config:
ASA Version 9.1(5) ! hostname asa domain-name ii xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface GigabitEthernet0/0 nameif trunk security-level 0 no ip address ! interface GigabitEthernet0/0.101 vlan 101 nameif ii_services security-level 0 ip address 172.30.151.234 255.255.255.0 ! interface GigabitEthernet0/0.102 vlan 102 nameif ii_users security-level 0 ip address 172.30.152.234 255.255.255.0 ! interface GigabitEthernet0/0.201 vlan 201 nameif upc security-level 0 ip address 192.168.234.3 255.255.255.0 ! boot system disk0:/asa915-smp-k8.bin boot system disk0:/asa914-smp-k8.bin ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup trunk dns domain-lookup upc dns domain-lookup ii_services dns domain-lookup ii_users dns server-group DefaultDNS domain-name ii same-security-traffic permit inter-interface object network upc_pat subnet 0.0.0.0 0.0.0.0 description NAT for upc connection object network ii_users subnet 172.30.152.0 255.255.255.0 object network ii_services subnet 172.30.151.0 255.255.255.0 access-list ii_users standard permit 172.30.151.0 255.255.255.0 access-list ii_users standard permit 172.30.152.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu trunk 1500 mtu upc 1500 mtu ii_services 1500 mtu ii_users 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-716.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (upc,any) source static ii_users ii_users no-proxy-arp ! object network upc_pat nat (any,upc) dynamic interface route upc 0.0.0.0 0.0.0.0 192.168.234.1 1 track 1 webvpn enable upc anyconnect-essentials anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 1 anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-64-3.1.05160-k9.pkg 3 anyconnect enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless default-domain value ii group-policy grp_ii_users internal group-policy grp_ii_users attributes banner value grp_ii_users dhcp-network-scope 172.30.152.0 split-tunnel-policy tunnelspecified split-tunnel-network-list value ii_users vlan 102 tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group ii_radius dhcp-server link-selection 172.30.160.2 username-from-certificate UPN tunnel-group DefaultWEBVPNGroup webvpn-attributes authentication aaa certificate pre-fill-username ssl-client hide ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:f14379244cafbd85b6ed4c735a7c7b21 : end
and the routes:
Gateway of last resort is 192.168.234.1 to network 0.0.0.0 C 172.30.151.0 255.255.255.0 is directly connected, ii_services C 172.30.152.0 255.255.255.0 is directly connected, ii_users C 192.168.234.0 255.255.255.0 is directly connected, upc S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.234.1, upc
If you feel a need for any additional information I'll be happy to provide it.
Thanks a lot again,
Lukas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide