10-26-2012 04:18 PM - edited 02-21-2020 06:26 PM
I'm in the process of deploying Cisco Any Connect. Most of it is configured and functional. Just couple of things I am trying to figure out and can't seem to find any documentation on it. I'm running 8.4 code on my ASA and Any Connect version 3.1. My firwalls' gi0/0 is connected to the ISP router with a public IP. We have 16 IP's from the ISP.
1- I want to use a different IP address not the Interface IP address that I register the any connect login page with. So for instance if my inteface IP is 1.1.1.1/28, and my stanby is 1.1.1.2/28 I want the IP for the VPN service to be 1.1.1.10/28.
********** I think it might not be possible because Any Connect will use the Interface IP only correct?********
2- I want to be able to give users Internet access once they log in, but I want all the Internet traffic to go through the tunnel as well. Under Group Policy --> Advanced --> Split Tunneling I tried to change the "Policy" setting to Tunnel All, Internet does not work. When I choose Tunnel Network List Below and choose the VPN Network only it works but it goes through the local Internet. I understand this requires a U turn. This is how the outgoing PAT is setup
******* Now since there is a PAT setup for all inside traffic to use the IP like this ***********
object network outside_pat 1.1.1.5
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic 1.1.1.5
***** VPN DHCP pool is from one of the internal subnets and there is a NAT setup like this *****
nat (inside,outside) source static InsideNetworks InsideNetworks destination static VPNPOOL VPNPOOL
I am not quiet sure what do I need to do get this accomplished. I looked at this document, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml. But looks like according to that document just patting the VPN Pool to the global NAT for outgoing traffic should do the trick but it is already done technically in my case because the VPNPOOL is part of the Inside traffic.
3- TLS v1 and SSL 3.0. When I tried to choose TSL v1 only for server and client I get an error messages but it does change. Now I disabled TSL v 1 and SSL 3.0 in my browser and I was still able to log in. Is that behavior normal?
Solved! Go to Solution.
10-31-2012 02:42 PM
Also, if you just change the object to the following:
object network outside_pat
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic 66.xxx.xxx.xxx
and configure;
object network VPN-Pool-internet
subnet 10.1.200.48 255.255.255.240
nat (outside,outside) dynamic
10-27-2012 01:05 AM
1 - Yes you are absolutely correct. The AnyConnect or any other VPN on ASA can only be configured to connect to the Interface IP, not any other spare IP address.
2 - In regards to this query, I would suggest that you configure a more specific PAT as follows:
object network vpn-pool
subnet
nat (outside,outside) dynamic 1.1.1.5
Also, you would need to configure: same-security-traffic permit intra-interface
this command is to allow u-turn traffic.
3 - This might need further investigation. What exactly did you configure on the "ssl server-version" command? and also pls run debugs to see what it says.
10-29-2012 09:15 AM
Jennifer thank you for the reply, on #2 you typed "nat (outside,outside) dynamic 1.1.1.5". I'm assuming it is supposed to be "nat (inside,outside) dynamic 1.1.1.5"?
10-29-2012 12:19 PM
#2 is correct, it should be "nat (outside,outside)" as the VPN traffic is terminating on the outside, and going outbound via the outside interface as well.
10-29-2012 01:24 PM
I did that ofcourse I couldn't do it for the same 1.1.1.5 because it is already in use so I used another IP address that is assigned to us. Setup Any Connect options to "Tunnel All Traffic" and no use I can't access the internet.
This is the error I get when I try to reach anything outside:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to NAT reverse path failure.
An attempt to connect to a mapped host using its actual address was rejected.
10-29-2012 06:14 PM
1) Do you have "same-security-traffic permit intra-interface" configured?
2) Also, if you have any other NAT statement that has the "any" keyword, pls kindly modify it to use a more specific subnet, otherwise it will incorrectly match on a different NAT statement.
10-30-2012 09:59 AM
I actually have these two statements in there:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Here is the NAT configuration that might be causing the issue then I guess. So you mean change the subnet from "0.0.0.0 0.0.0.0" to specific subnets? I guess I will have to change the way this is written then completely and use twice NAT?
object network outside_pat
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic 66.xxx.xxx.xxx
I also have this that is exempting all the networks
object-group network Inside_Net
network-object 192.168.0.0 255.255.255.0
network-object 10.1.4.0 255.255.255.0
network-object 10.1.5.0 255.255.255.0
network-object 10.1.8.0 255.255.255.0
network-object 10.1.48.0 255.255.252.0
network-object 10.1.128.0 255.255.252.0
network-object 10.1.132.0 255.255.252.0
network-object 10.1.136.0 255.255.252.0
network-object 10.1.160.0 255.255.252.0
network-object 10.1.200.0 255.255.252.0
!
object network VPN-Pool
subnet 10.1.200.48 255.255.255.240
!
nat (inside,outside) source static Inside_Net Inside_Net destination static VPN-Pool VPN-Pool
10-31-2012 09:04 AM
Just a little update I configured this on one of our other firewall where all the site to site VPN's are terminating and scenario worked. However it was getting to the internet through the first firewall with our main ISP. I noticed that this VPN firewall that is connected to the ISP 2 had the following extra line in there:
S 0.0.0.0 0.0.0.0 [255/0] via 10.1.200.1, inside tunneled
Per following two links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b4f50d.shtml
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html
So perhaps I need to add that line on the first firewall where I was originally testing Any Connect?
route inside 0.0.0.0 0.0.0.0 10.1.200.1 inside tunneled
10-31-2012 02:40 PM
The route with the "tunneled" keyword means that all traffic from the VPN will be routed towards the hop you configure on that static route with the "tunneled" keyword.
I wouldn't configure it that way as it will route all the way to that inside router and back out again via the ASA which really will take up resources on your ASA as it is just doing a loop in and out. It will also take up the unnecessary resource on your router if it is not supposed to route via that.
10-31-2012 02:42 PM
Also, if you just change the object to the following:
object network outside_pat
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic 66.xxx.xxx.xxx
and configure;
object network VPN-Pool-internet
subnet 10.1.200.48 255.255.255.240
nat (outside,outside) dynamic
11-02-2012 08:25 AM
Thank you for the reply, I am going to setup this change for Sat morning. Here is going to be my setup. Note: As a best practice recommendation I am no longer using the IP's from the same subnet as the "inside" interface. I picked out another range that is not within our network at all.
Using this network I have been able to connect to the internal network successfully. However I can not gain access to the network. Show route shows that the host connected has a route that looks like this:
S 10.251.0.34 255.255.255.255 [1/0] via 6x.2xx.2xx.1x, outside
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 66.2xx.2xx.2x 255.255.255.240 standby 6x.2xx.2xx.3x
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.200.255 255.255.252.0 standby 10.1.200.254
!
****************I am going to change this part**************
object network outside_pat
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic 6x.2xx.2xx.2x
*********** change To ******************
nat (inside,outside) dynamic 6x.2xx.2xx.2x
!
object network AnyConnect
subnet 10.251.0.32 255.255.255.240 (This is a totally different network, no VLAN created for this network strictly going to be used for Cisco Any Connect)
So I will add the following here:
nat (outside,outside) dynamic 6x.2xx.2xx.2x (Different IP from the range ISP gave us)
!
object-group network Inside_Net
network-object 192.168.0.0 255.255.255.0
network-object 10.1.4.0 255.255.255.0
network-object 10.1.5.0 255.255.255.0
network-object 10.1.8.0 255.255.255.0
network-object 10.1.48.0 255.255.252.0
network-object 10.1.128.0 255.255.252.0
network-object 10.1.132.0 255.255.252.0
network-object 10.1.136.0 255.255.252.0
network-object 10.1.160.0 255.255.252.0
network-object 10.1.200.0 255.255.252.0
!
ip local pool AnyConnect_DHCP 10.251.0.34-10.251.0.46 mask 255.255.255.240
nat (inside,outside) source static Inside_Net Inside_Net destination static AnyConnect AnyConnect
!
route outside 0.0.0.0 0.0.0.0 6x.2xx.2xx.1x 1
route inside 10.1.4.0 255.255.255.0 10.1.200.1 1
route inside 10.1.5.0 255.255.255.0 10.1.200.1 1
route inside 10.1.7.0 255.255.255.0 10.1.200.1 1
route inside 10.1.8.0 255.255.255.0 10.1.200.1 1
route f5_pub 10.1.14.0 255.255.255.0 10.1.13.240 1
route inside 10.1.48.0 255.255.252.0 10.1.200.1 1
route inside 10.1.128.0 255.255.252.0 10.1.200.1 1
route inside 10.1.132.0 255.255.252.0 10.1.200.1 1
route inside 10.1.136.0 255.255.252.0 10.1.200.1 1
route inside 10.1.160.0 255.255.252.0 10.1.200.1 1
route inside 10.1.250.0 255.255.255.0 10.1.200.1 1
route inside 172.16.1.0 255.255.255.0 10.1.200.1 1
route inside 192.168.0.0 255.255.255.0 10.1.200.1 1
!
ssl server-version tlsv1-only
ssl client-version tlsv1-only
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.0.2 192.168.0.12
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value domain.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
!
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool AnyConnect_DHCP
authentication-server-group RADIUS
default-group-policy GroupPolicy_AnyConnect
password-management
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
11-02-2012 01:11 PM
Looks good to me.
Let us know how it goes after the changes.
Pls remember to "clear xlate" after you make all the necessary changes.
11-04-2012 12:42 PM
Jennifer thank you so much that was it the "any" keyword in there was causing the issue. It is working now I can access everything inside as well as Internet traffic is being tunneled through the VPN as well. Thanks so much you rock .
11-04-2012 01:20 PM
Great news and thanks for the update and ratings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide