ASA5506 - AnyConnect Issue with Nat

Marc Lawson · ‎12-15-2020

Ok so I have 2 Asa5506 and have configured them both for anyconnect vpn sessions. The configs are exactly the same except ip addresses. The issue is that on one of the asa the anyconnect client will only pass traffic while the remote pc is connected to the physical interface inside_1. If the pc is connected to any other of the inside ie. inside_2, inside_3 etc it will not pass the traffic. The anyconnect will connect on all the interfaces. Both are running the same software version 9.8.(2).

Any ideas?

Here is my vpn config on the asa:

ip local pool vpn-pool 192.168.4.10-192.168.4.15 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
object network local-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network vpn-192.168.4.0
subnet 192.168.4.0 255.255.255.0
access-list vpn101 standard permit 192.168.5.0 255.255.255.0

nat (inside_1,outside) source static local-192.168.5.0 local-192.168.5.0 destination static vpn-192.168.4.0 vpn-192.168.4.0
nat (inside_2,outside) source static local-192.168.5.0 local-192.168.5.0 destination static vpn-192.168.4.0 vpn-192.168.4.0
nat (inside_3,outside) source static local-192.168.5.0 local-192.168.5.0 destination static vpn-192.168.4.0 vpn-192.168.4.0
nat (inside_4,outside) source static local-192.168.5.0 local-192.168.5.0 destination static vpn-192.168.4.0 vpn-192.168.4.0
nat (inside_5,outside) source static local-192.168.5.0 local-192.168.5.0 destination static vpn-192.168.4.0 vpn-192.168.4.0
nat (inside_6,outside) source static local-192.168.5.0 local-192.168.5.0 destination static vpn-192.168.4.0 vpn-192.168.4.0
nat (inside_7,outside) source static local-192.168.5.0 local-192.168.5.0 destination static vpn-192.168.4.0 vpn-192.168.4.0

!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface

crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn domain123.com
subject-name CN=domain123.com
keypair ssl-vpn3
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 inside_1
ssl trust-point ASDM_TrustPoint1 inside_2
ssl trust-point ASDM_TrustPoint1 inside_3
ssl trust-point ASDM_TrustPoint1 inside_4
ssl trust-point ASDM_TrustPoint1 inside_5
ssl trust-point ASDM_TrustPoint1 inside_6
ssl trust-point ASDM_TrustPoint1 inside_7
ssl trust-point ASDM_TrustPoint1 inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect profiles l-vpn_client_profile disk0:/l-vpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_l-vpn internal
group-policy GroupPolicy_l-vpn attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn101
default-domain none
webvpn
anyconnect profiles value l-vpn_client_profile type user

tunnel-group l-vpn type remote-access
tunnel-group l-vpn general-attributes
address-pool vpn-pool
default-group-policy GroupPolicy_l-vpn
tunnel-group l-vpn webvpn-attributes
group-alias l-vpn enable

MHM Cisco World · ‎12-15-2020

Cisco ASA inter VLAN,

need security plus check the License on both you will see it different.

Marc Lawson · ‎12-15-2020

What is odd is that one has the security plus and the other does not. The one that is working does not have the security plus license while the one that is not working has the security plus license.

MHM Cisco World · ‎12-15-2020

need same-security inter-interface command to make traffic from one to other interface.

also send me the version and license in both.

Marc Lawson · ‎12-15-2020

Not sure I understand need same-security inter-interface command to make traffic from one to other interface because it is working on one of them without any different commands.

This is one that is working.
cisco# sh ver
Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

*********************************************************************

This is the one that is not working.
cisco# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5506 Security Plus license.