12-09-2016 07:06 AM
Hey all
I am having issues allowing AnyConnect users to access to remote resources via site-to-site tunnels. I have 3 locations. A,B,C. A(9.6) has a tunnel to both B(8.2) and C(8.2). Clients AnyConnect to A and access resources there but are not able to access anything on B or C. I am sure I have the nat statements messed up.
Here is the A config
: Saved
:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ciscoasa
enable password fCUCGJvREJe.MlC/ encrypted
names
ip local pool SSL_VPN_POOL 10.102.0.1-10.102.0.51 mask 255.255.0.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.20.138 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.101.0.1 255.255.0.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SSL_VPN_CLIENTS
subnet 10.102.0.0 255.255.0.0
object network NETWORK_OBJ_10.102.0.0_26
subnet 10.102.0.0 255.255.255.192
object-group network WK_LAN
description All_PME_LANS
network-object 10.10.0.0 255.255.0.0
network-object 10.13.0.0 255.255.0.0
network-object 10.15.0.0 255.255.0.0
network-object 10.16.0.0 255.255.0.0
network-object 10.9.0.0 255.255.0.0
object-group network LA_LANS
description ALL_LA_LANS
network-object 10.101.0.0 255.255.0.0
object-group network HV_LANS
description ALL_HV_LANS
network-object 10.20.0.0 255.255.0.0
network-object 10.21.0.0 255.255.0.0
network-object 10.22.0.0 255.255.0.0
object-group network PME_LANS
group-object HV_LANS
group-object WK_LAN
access-list LA_CRYPTO extended permit ip object-group LA_LANS object-group WK_LAN
access-list outside_access_in extended permit ip 10.101.0.0 255.255.0.0 object-group WK_LAN
access-list outside_access_in extended permit ip 10.101.0.0 255.255.0.0 object-group HV_LANS
access-list Split-Tunnel standard permit 10.101.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.10.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.16.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.20.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.21.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.22.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.13.0.0 255.255.0.0
access-list Split-Tunnel standard permit 10.102.0.0 255.255.0.0
access-list HV_CRYPTO extended permit ip object-group LA_LANS object-group HV_LANS
pager lines 24
logging enable
logging asdm informational
no logging message 106023
mtu outside 1500
mtu inside 1500
mtu inside_vpn 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.102.0.0_26 NETWORK_OBJ_10.102.0.0_26 no-proxy-arp route-lookup
nat (outside,outside) source static SSL_VPN_CLIENTS SSL_VPN_CLIENTS destination static HV_LANS HV_LANS
nat (outside,outside) source static SSL_VPN_CLIENTS SSL_VPN_CLIENTS destination static WK_LAN WK_LAN
nat (inside,outside) source static SSL_VPN_CLIENTS SSL_VPN_CLIENTS destination static WK_LAN WK_LAN
nat (inside,outside) source static LA_LANS LA_LANS destination static PME_LANS PME_LANS
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.20.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server PME_RADIUS protocol radius
dynamic-authorization
aaa-server PME_RADIUS (inside) host 10.101.0.4
key *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.101.0.0 255.255.0.0 inside
http 10.102.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address HV_CRYPTO
crypto map outside_map 10 set peer SiteA_IP
crypto map outside_map 10 set ikev1 transform-set PM1
crypto map outside_map 20 match address LA_CRYPTO
crypto map outside_map 20 set peer SiteB_IP
crypto map outside_map 20 set ikev1 transform-set PM1
crypto map outside_map interface outside
crypto ca trustpoint SSL-Trustpoint
enrollment terminal
fqdn lavpn.company.com
subject-name CN=lavpn.company.com,O=Company Inc,C=US,St=State,L=City
keypair SSL_VPN_KEY_PAIR
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.101.0.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain SSL-Trustpoint
certificate 008fe471b053000411
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate e8d84658
quit
crypto isakmp nat-traversal 3600
no crypto ikev2 fragmentation
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.101.0.0 255.255.0.0 inside
telnet timeout 120
ssh stricthostkeycheck
ssh 10.101.0.0 255.255.0.0 inside
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside
tftp-server inside 10.10.2.30 <YYYYMMDD-ASA5506-LA>
ssl trust-point SSL-Trustpoint outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.3.04027-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 3
anyconnect profiles PME_SSL_Profile disk0:/AnyConnectProfile20161207.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_LA_SSL internal
group-policy GroupPolicy_LA_SSL attributes
wins-server none
dns-server value 10.101.0.4
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
default-domain value pme.local
dynamic-access-policy-record DfltAccessPolicy
tunnel-group SiteB_IP type ipsec-l2l
tunnel-group SiteB_IP ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group LA_SSL type remote-access
tunnel-group LA_SSL general-attributes
address-pool SSL_VPN_POOL
authentication-server-group PME_RADIUS
default-group-policy GroupPolicy_LA_SSL
tunnel-group LA_SSL webvpn-attributes
group-alias LA_SSL enable
tunnel-group SiteA_IP type ipsec-l2l
tunnel-group SiteA_IP ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
ciscoasa(config)#
Solved! Go to Solution.
12-09-2016 10:10 AM
Hi Cybervex3,
Considering your AnyConnect clients are getting an ip from the pool 10.102.x.x, that range of ips needs to be allowed on the interesting traffic of the tunnels and is not:
access-list HV_CRYPTO extended permit ip object-group LA_LANS object-group HV_LANS
access-list LA_CRYPTO extended permit ip object-group LA_LANS object-group WK_LAN
object-group network LA_LANS
description ALL_LA_LANS
network-object 10.101.0.0 255.255.0.0
So you need to add the following group to the interesting traffic:
object network SSL_VPN_CLIENTS
subnet 10.102.0.0 255.255.0.0
Example:
access-list HV_CRYPTO extended permit ip object SSL_VPN_CLIENTS object-group HV_LANS
access-list LA_CRYPTO extended permit ip object SSL_VPN_CLIENTS object-group WK_LAN
So clients from SSL_VPN_CLIENTS are going to be able to access WK_LAN and HV_LANS through the VPN tunnel, keep in mind this change needs to be done on both sites of the tunnel since the interesting traffic needs to be mirrored.
The u turn nat and the same security intra are already configured so adding that extra line on the interesting traffic should do the trick.
Hope this info helps!!
Rate if helps you!!
-JP-
12-09-2016 10:10 AM
Hi Cybervex3,
Considering your AnyConnect clients are getting an ip from the pool 10.102.x.x, that range of ips needs to be allowed on the interesting traffic of the tunnels and is not:
access-list HV_CRYPTO extended permit ip object-group LA_LANS object-group HV_LANS
access-list LA_CRYPTO extended permit ip object-group LA_LANS object-group WK_LAN
object-group network LA_LANS
description ALL_LA_LANS
network-object 10.101.0.0 255.255.0.0
So you need to add the following group to the interesting traffic:
object network SSL_VPN_CLIENTS
subnet 10.102.0.0 255.255.0.0
Example:
access-list HV_CRYPTO extended permit ip object SSL_VPN_CLIENTS object-group HV_LANS
access-list LA_CRYPTO extended permit ip object SSL_VPN_CLIENTS object-group WK_LAN
So clients from SSL_VPN_CLIENTS are going to be able to access WK_LAN and HV_LANS through the VPN tunnel, keep in mind this change needs to be done on both sites of the tunnel since the interesting traffic needs to be mirrored.
The u turn nat and the same security intra are already configured so adding that extra line on the interesting traffic should do the trick.
Hope this info helps!!
Rate if helps you!!
-JP-
12-11-2016 10:22 PM
You are correct. I had forgotten while going back and forth between FWs that I had changed the pool for AnyConnect and never added change. Humbling to realize such a mistake while TAC was fixing it. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide