Cisco Anyconnect

vaibhav58 · ‎12-12-2016

Hi,

Can we use the Anyconnect pool same as the LAN pool? I only have one LAN and one WAN interface so this is the only option available.

Cisco asa 5505

IOS: 8.2(5)

Regards

Vaibhav

Karsten Iwen · ‎12-12-2016

You can use a pool from the local LAN for your VPN-clients. Just make sure that these addresses are not part of a DHCP pool that hands out addresses to your internal devices.

You can also use a different pool that has nothing to do with your LAN. The VPN-Pool doesn't have to be part of any network on the ASA.

In any case you also have to make sure that traffic to the VPN-pool is exempted from NAT on the ASA.

vaibhav58 · ‎12-12-2016

Hi Karsten,

Thanks for your reply.

My LAN range is 192.168.0.0 255.255.255.0 and VPN pool is 192.168.0.185-192.168.0.210.

Since both the ranges are on the inside interface of firewall, how can i make a NAT rule to exempt traffic.

What i see now, the IP which I get from the VPN pool. it says the route to reach it is from external interface

.Ex- if i get 192.168.0.190, running show route shows

192.168.0.190 via ISP

The VPN-Pool doesn't have to be part of any network on the ASA.- Can i use any subnet say 192.168.1.0 255.255.255.0 and it doesnt has to be on my network?

I have used split tunneling so i can go to internet without any issue but cannot access any of the LAN resource.

Thank you again!!

Regards

Vaibhav

Karsten Iwen · ‎12-12-2016

> My LAN range is 192.168.0.0 255.255.255.0 and VPN pool is 192.168.0.185-192.168.0.210.

Sometimes it's better to align pools like these at subnet-borders. With that it's easier to filter on this range.

> Since both the ranges are on the inside interface of firewall, how can i make a NAT rule to exempt traffic.

The easiest way is to exempt all internal addresses. Then you can later adjust your pool and don't have to change any NAT:

object network LAN
 subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static LAN LAN

> Can i use any subnet say 192.168.1.0 255.255.255.0 and it doesnt has to be on my network?

correct, just make sure that the network 192.168.1.0 is routed to your ASA. Most of the time this is automatically done with the default-route or default-gateway.

> I have used split tunneling so i can go to internet without any issue but cannot access any of the LAN resource.

This is very often related to a missing or wrong nat-exemption.

vaibhav58 · ‎12-14-2016

Hi Karsten,

So i made a new pool (random ) for VPN 192.168.20.0 255.255.255.0 . VPN connects and i can now ping my internal IP address.

I have configured Cisco Jabber to work on this when anyconnect. Jabber works, call goes but the audio is only one way ( second phone to my phone but not vice versa)

Any reason you can think of this might be happening?

Thank you for your help so far.

Regards

Vaibhav

Karsten Iwen · ‎12-14-2016

To understand the problem:

It works between a VPN-Client and local systems?
It only works one way from VPN-client to VPN-client?

vaibhav58 · ‎12-14-2016

It only works one way from VPN-client to VPN-client? --> We use jabber for vpn client to call any one. The other party can hear my voice but not me.

I can also not connect to my firewall internal IP 192.168.0.1 whilst on VPN.

Is there any other configuration might be missing?

Summary:

LAN: 192.168.0.1 255.255.255.0

VPN Pool : 192.168.20.0 255.255.255.0

NAT exempt is there from LAN to VPN.

I have a feeling that there can be a route problem , but not sure. I can post my config if needed.

Regards

Vaibhav

vaibhav58 · ‎02-02-2017

Hi All,

this issue is sorted now. i used the subnet from my LAN as my pool and created a no-nat from internal subnet to internal subnet.

This resolved the issue.

Thanks everyone involved.

Regards

Vaibhav