cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1621
Views
0
Helpful
6
Replies

Cisco AnyConnect SSL VPN

Robin Olofsson
Level 1
Level 1

Hi Guys,

I'm currently setting ut a Cisco AnyConnect SSL VPN for the first time on a Cisco ASA 5505.

I have attached my topology.

I have run the wizard  from the ASDM on the ASA2 that I want to use for my VPN connections.

Everything works well except that I cant access any internal servers/computer on my network.

Do I need to do some specific configuration because my servers have a different default gateway from the ASA i use for my VPN?

I have access from the ASA2 to the whole 192.168.10.0 network.

my remote ip pool is 10.0.0.1-10.0.0.10/24

config (i've included what i think is necessary, please let me know if you need to see more):

ASA Version 9.1(2)8

sysopt connection permit-vpn

access-list split-tunnel standard permit 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 no-proxy-arp route-lookup

group-policy GroupPolicy_vpn internal

group-policy GroupPolicy_vpn attributes

wins-server value 192.168.10.20

dns-server value 192.168.10.15

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value domain.local

webvpn

  anyconnect profiles value PROFILE type user

tunnel-group tunnel_vpn type remote-access

tunnel-group tunnel_vpn general-attributes

address-pool ra_vpn_pool

default-group-policy GroupPolicy_vpn

tunnel-group tunnel_vpn webvpn-attributes

group-alias tunnel_vpn enable

!

Thanks in advance!

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The device behind your ASAs on the internal LAN should really be a Router or L3 switch and not a basic L2 switch.

You now have Asymmetric routing in your network and this is the reason the connection from the VPN device wont work.

The problem comes from the fact that the internal devices use the ASA1 for the default gateway. When connection is attempted from the VPN Client, the following happens

  • VPN Client hosts sends TCP SYN which arrives through the VPN to ASA2
  • ASA2 passes the TCP SYN to the Server
  • Server replies with TCP SYN ACK to the VPN Client and sends this information to the ASA1 as the destination host is in another network (vpn pool network)
  • ASA1 sees the TCP SYN ACK but has never seen the TCP SYN so it drops the connection.

As a workaround you would essentially have to configure TCP State Bypass on the ASA1 though I wouldnt really suggest that but rather change the network setup so the traffic wont flow this way to begin with.

One option, even though not the best, would be to attach the LAN side of the ASA2 to the ASA1 on some physical port and configure a new link network between them (not the same 192.168.10.x/yy). This way the ASA1 would see the whole conversation between the servers and the VPN Clients and there would be no problems with traffic flow.

But as I said this still probably isnt the best solution but in my opinion better than resorting to special configurations ASA1.

There might be one "special" configuration on the ASA2 that you could use to make the VPN Client connections work in their current setup without changing anything in the physical topology.

You could change the NAT configuration for VPN Clients so that ALL VPN users would actually be PATed to the IP address 192.168.10.4 when they connect to your internal network. Since the servers would see the connection coming from the same network segment they would know to forward the return traffic back to ASA2 rather than ASA1 as its now.

Though this is not a ideal solution either.

no nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 no-proxy-arp route-lookup

object network LAN

subnet 192.168.10.0 255.255.255.0

nat (outside,inside) 1 source dynamic NETWORK_OBJ_10.0.0.0 interface destination static LAN LAN

Hope this helps

- Jouni

View solution in original post

Hi,

I deal so little with switches that I am not sure about the model/software related abilities of the switches.

It would seem to me that the easiest solution at the moment that would require the least amount of changes would be the NAT configuration change I suggest in the original reply.

Essentially it suggested replacing the NAT0 with a Dynamic PAT that would PAT all the VPN CLient users to the interface IP address of the VPN devices internal interface. This should make it possible for the users to access the servers through VPN without running to routing problems. The simple reason for this would be that the VPN Client user connections would be visible to the internal network with the IP address 192.168.10.4.

- Jouni

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The device behind your ASAs on the internal LAN should really be a Router or L3 switch and not a basic L2 switch.

You now have Asymmetric routing in your network and this is the reason the connection from the VPN device wont work.

The problem comes from the fact that the internal devices use the ASA1 for the default gateway. When connection is attempted from the VPN Client, the following happens

  • VPN Client hosts sends TCP SYN which arrives through the VPN to ASA2
  • ASA2 passes the TCP SYN to the Server
  • Server replies with TCP SYN ACK to the VPN Client and sends this information to the ASA1 as the destination host is in another network (vpn pool network)
  • ASA1 sees the TCP SYN ACK but has never seen the TCP SYN so it drops the connection.

As a workaround you would essentially have to configure TCP State Bypass on the ASA1 though I wouldnt really suggest that but rather change the network setup so the traffic wont flow this way to begin with.

One option, even though not the best, would be to attach the LAN side of the ASA2 to the ASA1 on some physical port and configure a new link network between them (not the same 192.168.10.x/yy). This way the ASA1 would see the whole conversation between the servers and the VPN Clients and there would be no problems with traffic flow.

But as I said this still probably isnt the best solution but in my opinion better than resorting to special configurations ASA1.

There might be one "special" configuration on the ASA2 that you could use to make the VPN Client connections work in their current setup without changing anything in the physical topology.

You could change the NAT configuration for VPN Clients so that ALL VPN users would actually be PATed to the IP address 192.168.10.4 when they connect to your internal network. Since the servers would see the connection coming from the same network segment they would know to forward the return traffic back to ASA2 rather than ASA1 as its now.

Though this is not a ideal solution either.

no nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 no-proxy-arp route-lookup

object network LAN

subnet 192.168.10.0 255.255.255.0

nat (outside,inside) 1 source dynamic NETWORK_OBJ_10.0.0.0 interface destination static LAN LAN

Hope this helps

- Jouni

Hi again Jouni :-)

Thanks for your quick and great replies!

They are connected to a Cisco 2960S with version 12.2(55)SE3. I know this is a L2 switch but I have read that it's possible to route if you running version 12.2(55), please correct me if I'm wrong!

do you think there is anything I can do with this?

Hi,

I deal so little with switches that I am not sure about the model/software related abilities of the switches.

It would seem to me that the easiest solution at the moment that would require the least amount of changes would be the NAT configuration change I suggest in the original reply.

Essentially it suggested replacing the NAT0 with a Dynamic PAT that would PAT all the VPN CLient users to the interface IP address of the VPN devices internal interface. This should make it possible for the users to access the servers through VPN without running to routing problems. The simple reason for this would be that the VPN Client user connections would be visible to the internal network with the IP address 192.168.10.4.

- Jouni

Hi,

That worked great, thanks!

Is there any disadvantage to have Dynamic PAT instead of to configure ASA1 for the VPN connections?

Hi,

I dont necesarily see any disadvatange in using this NAT configurations. Its a bit unsual as you usually configure NAT0 so that the VPN Client Pool and the LAN can communicate directly with their original IP addresses. This Dynamic Policy PAT essentially does prevent connectins from LAN to VPN but that is usually not required as the VPN Clients whole purpose is to provide connectivity from Client to Server (while L2L VPN would be used more typically for bidirectional connection forming)

Naturally configuring the VPN connnections on the ASA1 would provide the clearest setup configuration wise. If you want to use ASA2 as the VPN gateway however then it would be probably wiser to thing about setting somekind of LAN router to avoid the above mentioned routing problems as it might become pretty hard to manage in the long run depending on how many VPN Connections are implemented.

The above configuration should do for now for the current setup but I would look into the possibility of changing the network setup so that no such routing problem could occur.

Some options to consider include the following atleast

Connect ASA2 to ASA1 through switch

  • Configure a new Vlan on the switch
  • Configure 2 free ports as Access ports to this new Vlan on the switch
  • Connect ASA1 free port on to one of these ports
  • Configure ASA1 new free port with a new link network (nameif, ip address, etc)
  • Connect ASA2 LAN port to this port.
  • Configure ASA2 LAN port with matching configurations to the ASA1 new free port (the new link network.
  • Configure ASA2 with a route telling that the network 192.168.10.0/24 is found behind the ASA1 interface IP address for this new link network
  • Configure all other related ACL, Routing, NAT on the devices to enable the traffic

Connect ASA2 LAN directly to ASA1 free port and configure the needed configurations just like above (without the switch involved naturally).

Set up a Router in the LAN and have it connected to the LAN and both of the ASAs. Configure the required routing, NAT, ACL related to this setup.

I didn't list any things regarding the last 2 options above since I am not sure if you are going to go with any of the setups.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

EDIT: Ah you had already marked the answers. Thank you for that

- Jouni

Hi Jouni,

Thanks for your awesome assistance and detailed replies! :-)

I decided to stick with the dynamic pat configuration, I have tried it now and it works great!

Have a nice day