11-26-2013 02:24 AM - edited 02-21-2020 07:20 PM
Hi Guys,
I'm currently setting ut a Cisco AnyConnect SSL VPN for the first time on a Cisco ASA 5505.
I have attached my topology.
I have run the wizard from the ASDM on the ASA2 that I want to use for my VPN connections.
Everything works well except that I cant access any internal servers/computer on my network.
Do I need to do some specific configuration because my servers have a different default gateway from the ASA i use for my VPN?
I have access from the ASA2 to the whole 192.168.10.0 network.
my remote ip pool is 10.0.0.1-10.0.0.10/24
config (i've included what i think is necessary, please let me know if you need to see more):
ASA Version 9.1(2)8
sysopt connection permit-vpn
access-list split-tunnel standard permit 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 no-proxy-arp route-lookup
group-policy GroupPolicy_vpn internal
group-policy GroupPolicy_vpn attributes
wins-server value 192.168.10.20
dns-server value 192.168.10.15
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value domain.local
webvpn
anyconnect profiles value PROFILE type user
tunnel-group tunnel_vpn type remote-access
tunnel-group tunnel_vpn general-attributes
address-pool ra_vpn_pool
default-group-policy GroupPolicy_vpn
tunnel-group tunnel_vpn webvpn-attributes
group-alias tunnel_vpn enable
!
Thanks in advance!
Solved! Go to Solution.
11-26-2013 02:40 AM
Hi,
The device behind your ASAs on the internal LAN should really be a Router or L3 switch and not a basic L2 switch.
You now have Asymmetric routing in your network and this is the reason the connection from the VPN device wont work.
The problem comes from the fact that the internal devices use the ASA1 for the default gateway. When connection is attempted from the VPN Client, the following happens
As a workaround you would essentially have to configure TCP State Bypass on the ASA1 though I wouldnt really suggest that but rather change the network setup so the traffic wont flow this way to begin with.
One option, even though not the best, would be to attach the LAN side of the ASA2 to the ASA1 on some physical port and configure a new link network between them (not the same 192.168.10.x/yy). This way the ASA1 would see the whole conversation between the servers and the VPN Clients and there would be no problems with traffic flow.
But as I said this still probably isnt the best solution but in my opinion better than resorting to special configurations ASA1.
There might be one "special" configuration on the ASA2 that you could use to make the VPN Client connections work in their current setup without changing anything in the physical topology.
You could change the NAT configuration for VPN Clients so that ALL VPN users would actually be PATed to the IP address 192.168.10.4 when they connect to your internal network. Since the servers would see the connection coming from the same network segment they would know to forward the return traffic back to ASA2 rather than ASA1 as its now.
Though this is not a ideal solution either.
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 no-proxy-arp route-lookup
object network LAN
subnet 192.168.10.0 255.255.255.0
nat (outside,inside) 1 source dynamic NETWORK_OBJ_10.0.0.0 interface destination static LAN LAN
Hope this helps
- Jouni
11-26-2013 05:05 AM
Hi,
I deal so little with switches that I am not sure about the model/software related abilities of the switches.
It would seem to me that the easiest solution at the moment that would require the least amount of changes would be the NAT configuration change I suggest in the original reply.
Essentially it suggested replacing the NAT0 with a Dynamic PAT that would PAT all the VPN CLient users to the interface IP address of the VPN devices internal interface. This should make it possible for the users to access the servers through VPN without running to routing problems. The simple reason for this would be that the VPN Client user connections would be visible to the internal network with the IP address 192.168.10.4.
- Jouni
11-26-2013 02:40 AM
Hi,
The device behind your ASAs on the internal LAN should really be a Router or L3 switch and not a basic L2 switch.
You now have Asymmetric routing in your network and this is the reason the connection from the VPN device wont work.
The problem comes from the fact that the internal devices use the ASA1 for the default gateway. When connection is attempted from the VPN Client, the following happens
As a workaround you would essentially have to configure TCP State Bypass on the ASA1 though I wouldnt really suggest that but rather change the network setup so the traffic wont flow this way to begin with.
One option, even though not the best, would be to attach the LAN side of the ASA2 to the ASA1 on some physical port and configure a new link network between them (not the same 192.168.10.x/yy). This way the ASA1 would see the whole conversation between the servers and the VPN Clients and there would be no problems with traffic flow.
But as I said this still probably isnt the best solution but in my opinion better than resorting to special configurations ASA1.
There might be one "special" configuration on the ASA2 that you could use to make the VPN Client connections work in their current setup without changing anything in the physical topology.
You could change the NAT configuration for VPN Clients so that ALL VPN users would actually be PATed to the IP address 192.168.10.4 when they connect to your internal network. Since the servers would see the connection coming from the same network segment they would know to forward the return traffic back to ASA2 rather than ASA1 as its now.
Though this is not a ideal solution either.
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 no-proxy-arp route-lookup
object network LAN
subnet 192.168.10.0 255.255.255.0
nat (outside,inside) 1 source dynamic NETWORK_OBJ_10.0.0.0 interface destination static LAN LAN
Hope this helps
- Jouni
11-26-2013 04:18 AM
Hi again Jouni :-)
Thanks for your quick and great replies!
They are connected to a Cisco 2960S with version 12.2(55)SE3. I know this is a L2 switch but I have read that it's possible to route if you running version 12.2(55), please correct me if I'm wrong!
do you think there is anything I can do with this?
11-26-2013 05:05 AM
Hi,
I deal so little with switches that I am not sure about the model/software related abilities of the switches.
It would seem to me that the easiest solution at the moment that would require the least amount of changes would be the NAT configuration change I suggest in the original reply.
Essentially it suggested replacing the NAT0 with a Dynamic PAT that would PAT all the VPN CLient users to the interface IP address of the VPN devices internal interface. This should make it possible for the users to access the servers through VPN without running to routing problems. The simple reason for this would be that the VPN Client user connections would be visible to the internal network with the IP address 192.168.10.4.
- Jouni
11-26-2013 05:36 AM
Hi,
That worked great, thanks!
Is there any disadvantage to have Dynamic PAT instead of to configure ASA1 for the VPN connections?
11-26-2013 05:49 AM
Hi,
I dont necesarily see any disadvatange in using this NAT configurations. Its a bit unsual as you usually configure NAT0 so that the VPN Client Pool and the LAN can communicate directly with their original IP addresses. This Dynamic Policy PAT essentially does prevent connectins from LAN to VPN but that is usually not required as the VPN Clients whole purpose is to provide connectivity from Client to Server (while L2L VPN would be used more typically for bidirectional connection forming)
Naturally configuring the VPN connnections on the ASA1 would provide the clearest setup configuration wise. If you want to use ASA2 as the VPN gateway however then it would be probably wiser to thing about setting somekind of LAN router to avoid the above mentioned routing problems as it might become pretty hard to manage in the long run depending on how many VPN Connections are implemented.
The above configuration should do for now for the current setup but I would look into the possibility of changing the network setup so that no such routing problem could occur.
Some options to consider include the following atleast
Connect ASA2 to ASA1 through switch
Connect ASA2 LAN directly to ASA1 free port and configure the needed configurations just like above (without the switch involved naturally).
Set up a Router in the LAN and have it connected to the LAN and both of the ASAs. Configure the required routing, NAT, ACL related to this setup.
I didn't list any things regarding the last 2 options above since I am not sure if you are going to go with any of the setups.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
EDIT: Ah you had already marked the answers. Thank you for that
- Jouni
11-26-2013 08:13 AM
Hi Jouni,
Thanks for your awesome assistance and detailed replies! :-)
I decided to stick with the dynamic pat configuration, I have tried it now and it works great!
Have a nice day
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide