Solved: Cisco AnyConnect configuration

ALIAOF_ · ‎10-26-2012

I'm in the process of deploying Cisco Any Connect. Most of it is configured and functional. Just couple of things I am trying to figure out and can't seem to find any documentation on it. I'm running 8.4 code on my ASA and Any Connect version 3.1. My firwalls' gi0/0 is connected to the ISP router with a public IP. We have 16 IP's from the ISP.

1- I want to use a different IP address not the Interface IP address that I register the any connect login page with. So for instance if my inteface IP is 1.1.1.1/28, and my stanby is 1.1.1.2/28 I want the IP for the VPN service to be 1.1.1.10/28.

********** I think it might not be possible because Any Connect will use the Interface IP only correct?********

2- I want to be able to give users Internet access once they log in, but I want all the Internet traffic to go through the tunnel as well. Under Group Policy --> Advanced --> Split Tunneling I tried to change the "Policy" setting to Tunnel All, Internet does not work. When I choose Tunnel Network List Below and choose the VPN Network only it works but it goes through the local Internet. I understand this requires a U turn. This is how the outgoing PAT is setup

******* Now since there is a PAT setup for all inside traffic to use the IP like this ***********

object network outside_pat 1.1.1.5

subnet 0.0.0.0 0.0.0.0

nat (any,outside) dynamic 1.1.1.5
***** VPN DHCP pool is from one of the internal subnets and there is a NAT setup like this *****

nat (inside,outside) source static InsideNetworks InsideNetworks destination static VPNPOOL VPNPOOL

I am not quiet sure what do I need to do get this accomplished. I looked at this document, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml. But looks like according to that document just patting the VPN Pool to the global NAT for outgoing traffic should do the trick but it is already done technically in my case because the VPNPOOL is part of the Inside traffic.

3- TLS v1 and SSL 3.0. When I tried to choose TSL v1 only for server and client I get an error messages but it does change. Now I disabled TSL v 1 and SSL 3.0 in my browser and I was still able to log in. Is that behavior normal?

Jennifer Halim · ‎10-31-2012

Also, if you just change the object to the following:

object network outside_pat

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic 66.xxx.xxx.xxx

and configure;

object network VPN-Pool-internet

subnet 10.1.200.48 255.255.255.240

nat (outside,outside) dynamic

View solution in original post

Jennifer Halim · ‎10-27-2012

1 - Yes you are absolutely correct. The AnyConnect or any other VPN on ASA can only be configured to connect to the Interface IP, not any other spare IP address.

2 - In regards to this query, I would suggest that you configure a more specific PAT as follows:

object network vpn-pool

subnet

nat (outside,outside) dynamic 1.1.1.5

Also, you would need to configure: same-security-traffic permit intra-interface

this command is to allow u-turn traffic.

3 - This might need further investigation. What exactly did you configure on the "ssl server-version" command? and also pls run debugs to see what it says.

ALIAOF_ · ‎10-29-2012

Jennifer thank you for the reply, on #2 you typed "nat (outside,outside) dynamic 1.1.1.5". I'm assuming it is supposed to be "nat (inside,outside) dynamic 1.1.1.5"?

Jennifer Halim · ‎10-29-2012

#2 is correct, it should be "nat (outside,outside)" as the VPN traffic is terminating on the outside, and going outbound via the outside interface as well.

ALIAOF_ · ‎10-29-2012

I did that ofcourse I couldn't do it for the same 1.1.1.5 because it is already in use so I used another IP address that is assigned to us. Setup Any Connect options to "Tunnel All Traffic" and no use I can't access the internet.

This is the error I get when I try to reach anything outside:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse 
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to 
NAT reverse path failure.

An attempt to connect to a mapped host using its actual address was rejected.

Jennifer Halim · ‎10-29-2012

1) Do you have "same-security-traffic permit intra-interface" configured?

2) Also, if you have any other NAT statement that has the "any" keyword, pls kindly modify it to use a more specific subnet, otherwise it will incorrectly match on a different NAT statement.

ALIAOF_ · ‎10-30-2012

I actually have these two statements in there:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Here is the NAT configuration that might be causing the issue then I guess. So you mean change the subnet from "0.0.0.0 0.0.0.0" to specific subnets? I guess I will have to change the way this is written then completely and use twice NAT?

object network outside_pat

subnet 0.0.0.0 0.0.0.0

nat (any,outside) dynamic 66.xxx.xxx.xxx

I also have this that is exempting all the networks

object-group network Inside_Net

network-object 192.168.0.0 255.255.255.0

network-object 10.1.4.0 255.255.255.0

network-object 10.1.5.0 255.255.255.0

network-object 10.1.8.0 255.255.255.0

network-object 10.1.48.0 255.255.252.0

network-object 10.1.128.0 255.255.252.0

network-object 10.1.132.0 255.255.252.0

network-object 10.1.136.0 255.255.252.0

network-object 10.1.160.0 255.255.252.0

network-object 10.1.200.0 255.255.252.0

!

object network VPN-Pool

subnet 10.1.200.48 255.255.255.240

!

nat (inside,outside) source static Inside_Net Inside_Net destination static VPN-Pool VPN-Pool

ALIAOF_ · ‎10-31-2012

Just a little update I configured this on one of our other firewall where all the site to site VPN's are terminating and scenario worked. However it was getting to the internet through the first firewall with our main ISP. I noticed that this VPN firewall that is connected to the ISP 2 had the following extra line in there:

S 0.0.0.0 0.0.0.0 [255/0] via 10.1.200.1, inside tunneled

Per following two links:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b4f50d.shtml

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html

So perhaps I need to add that line on the first firewall where I was originally testing Any Connect?

route inside 0.0.0.0 0.0.0.0 10.1.200.1 inside tunneled

Jennifer Halim · ‎10-31-2012

The route with the "tunneled" keyword means that all traffic from the VPN will be routed towards the hop you configure on that static route with the "tunneled" keyword.

I wouldn't configure it that way as it will route all the way to that inside router and back out again via the ASA which really will take up resources on your ASA as it is just doing a loop in and out. It will also take up the unnecessary resource on your router if it is not supposed to route via that.

Jennifer Halim · ‎10-31-2012

Also, if you just change the object to the following:

object network outside_pat

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic 66.xxx.xxx.xxx

and configure;

object network VPN-Pool-internet

subnet 10.1.200.48 255.255.255.240

nat (outside,outside) dynamic

ALIAOF_ · ‎11-02-2012

Thank you for the reply, I am going to setup this change for Sat morning. Here is going to be my setup. Note: As a best practice recommendation I am no longer using the IP's from the same subnet as the "inside" interface. I picked out another range that is not within our network at all.

Using this network I have been able to connect to the internal network successfully. However I can not gain access to the network. Show route shows that the host connected has a route that looks like this:

S 10.251.0.34 255.255.255.255 [1/0] via 6x.2xx.2xx.1x, outside

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 66.2xx.2xx.2x 255.255.255.240 standby 6x.2xx.2xx.3x

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.200.255 255.255.252.0 standby 10.1.200.254

!

****************I am going to change this part**************

object network outside_pat

subnet 0.0.0.0 0.0.0.0

nat (any,outside) dynamic 6x.2xx.2xx.2x

*********** change To ******************

nat (inside,outside) dynamic 6x.2xx.2xx.2x

!

object network AnyConnect

subnet 10.251.0.32 255.255.255.240 (This is a totally different network, no VLAN created for this network strictly going to be used for Cisco Any Connect)

So I will add the following here:

nat (outside,outside) dynamic 6x.2xx.2xx.2x (Different IP from the range ISP gave us)

!

object-group network Inside_Net

network-object 192.168.0.0 255.255.255.0

network-object 10.1.4.0 255.255.255.0

network-object 10.1.5.0 255.255.255.0

network-object 10.1.8.0 255.255.255.0

network-object 10.1.48.0 255.255.252.0

network-object 10.1.128.0 255.255.252.0

network-object 10.1.132.0 255.255.252.0

network-object 10.1.136.0 255.255.252.0

network-object 10.1.160.0 255.255.252.0

network-object 10.1.200.0 255.255.252.0

!

ip local pool AnyConnect_DHCP 10.251.0.34-10.251.0.46 mask 255.255.255.240

nat (inside,outside) source static Inside_Net Inside_Net destination static AnyConnect AnyConnect

!

route outside 0.0.0.0 0.0.0.0 6x.2xx.2xx.1x 1

route inside 10.1.4.0 255.255.255.0 10.1.200.1 1

route inside 10.1.5.0 255.255.255.0 10.1.200.1 1

route inside 10.1.7.0 255.255.255.0 10.1.200.1 1

route inside 10.1.8.0 255.255.255.0 10.1.200.1 1

route f5_pub 10.1.14.0 255.255.255.0 10.1.13.240 1

route inside 10.1.48.0 255.255.252.0 10.1.200.1 1

route inside 10.1.128.0 255.255.252.0 10.1.200.1 1

route inside 10.1.132.0 255.255.252.0 10.1.200.1 1

route inside 10.1.136.0 255.255.252.0 10.1.200.1 1

route inside 10.1.160.0 255.255.252.0 10.1.200.1 1

route inside 10.1.250.0 255.255.255.0 10.1.200.1 1

route inside 172.16.1.0 255.255.255.0 10.1.200.1 1

route inside 192.168.0.0 255.255.255.0 10.1.200.1 1

!

ssl server-version tlsv1-only

ssl client-version tlsv1-only

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1

anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_AnyConnect internal

group-policy GroupPolicy_AnyConnect attributes

wins-server none

dns-server value 192.168.0.2 192.168.0.12

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelall

default-domain value domain.com

webvpn

anyconnect profiles value AnyConnect_client_profile type user

!

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool AnyConnect_DHCP

authentication-server-group RADIUS

default-group-policy GroupPolicy_AnyConnect

password-management

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

Jennifer Halim · ‎11-02-2012

Looks good to me.

Let us know how it goes after the changes.

Pls remember to "clear xlate" after you make all the necessary changes.

ALIAOF_ · ‎11-04-2012

Jennifer thank you so much that was it the "any" keyword in there was causing the issue. It is working now I can access everything inside as well as Internet traffic is being tunneled through the VPN as well. Thanks so much you rock .

Jennifer Halim · ‎11-04-2012

Great news and thanks for the update and ratings.