11-16-2015 02:23 PM - edited 02-21-2020 08:33 PM
I’m an ASA noob, looking for help getting our AnyConnect clients able to connect to resources in a remote network.
We’re using a virtual ASA in the Amazon Web Services (AWS) cloud. We have two Private Virtual Clouds with AWS, which you can think of like two different office locations.
Our ASA is in location/cloud A. Clients can connect successfully to the ASA using AnyConnect, and they are able to access resources on the local LAN for location/cloud A.
Location/cloud A and location/cloud B are connected via a network link, but not using IPSec – rather they are using Amazon’s “peering” technology to connect private clouds. The important point is that network resources in both locations can access resources in the other location, so all the proper routing is in place, and there is no firewall or ACL in place between locations/clouds.
The problem is that AnyConnect clients cannot access anything in location/cloud B.
As a test, we took the Cisco ASA out of the picture and dropped a Fortinet firewall into place, using all the same IP addresses that the ASA had. Remote access VPN clients connecting to the Fortinet were able to access resources in location/cloud B. Point being, we know the issue is something with the ASA config, and not an Amazon routing issue, otherwise the Fortinet would not have worked.
The network for location/cloud A is 10.245.0.0/16
The network for location/cloud B is 10.225.0.0/16
The IP Pool used by AnyConnect clients is 10.242.2.0
Below is a copy of the sanitized config. Any help would be greatly appreciated!
ciscoasa# sh run
: Saved
:
: Serial Number: xxxxxxxx
: Hardware: ASAv, 4096 MB RAM, CPU Xeon E5 series 2800 MHz, 1 CPU (2 cores)
:
ASA Version 9.4(1)200
!
hostname ciscoasa
domain-name OUR_DOMAIN.COM
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 129.6.15.28 time-a.nist.gov
name 129.6.15.29 time-b.nist.gov
name 129.6.15.30 time-c.nist.gov
ip local pool SSLVPN-Pool 10.242.2.10-10.242.2.50 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 10.245.200.25 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.245.100.10 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.245.110.60 255.255.255.0
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.145.100.191
name-server 8.8.8.8
domain-name OUR_DOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.242.2.0_26
subnet 10.242.2.0 255.255.255.192
object network LAN-Subnet
subnet 10.245.0.0 255.255.0.0
object network Remote-Subnet
subnet 10.225.0.0 255.255.0.0
access-list Inside_access_in extended permit ip any any
access-list VPN_Tunneled_Subnets standard permit 10.245.0.0 255.255.0.0
access-list VPN_Tunneled_Subnets standard permit 10.225.0.0 255.255.0.0
access-list VPN_Tunneled_Subnets standard permit 10.242.2.0 255.255.255.0
pager lines 23
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
nat (management,Outside) source dynamic any interface
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.242.2.0_26 NETWORK_OBJ_10.242.2.0_26 no-proxy-arp route-lookup
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 10.245.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server DUO-LDAP protocol ldap
aaa-server DUO-LDAP (Outside) host api-xxxxxxx.duosecurity.com
timeout 60
server-port 636
ldap-base-dn dc=xxxxxxxxxxx,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=Dxxxxxxxx,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect
aaa-server ACTIVE_DIRECTORY protocol ldap
aaa-server ACTIVE_DIRECTORY (Inside) host 10.245.x.x
ldap-base-dn DC=domain,DC=dc
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=duo,OU=Service_Accounts,DC=domain,DC=dc
server-type auto-detect
user-identity default-domain LOCAL
http server enable
http x.x.x.0 255.255.255.0 management
http x.x.x.0 255.255.255.0 Inside
http x.x.x.0 255.255.0.0 Inside
http x.x.x.0 255.255.255.0 Outside
http x.x.x.0 255.255.255.0 Outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=52.3.201.44,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=52.21.51.46,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 23cc4456
b9da2ecf 6baa411f 00c31d3f 26347e27 4e44e3b2 071ba0d2 d96d9513 86df2eda
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate d5d24456
308202ce 308201b6 a0030201 020204d5 d2445630 0d06092a 864886f7 0d010105
quit
telnet timeout 5
ssh stricthostkeycheck
ssh x.x.x.0 255.255.255.0 Outside
ssh x.x.x.0 255.255.255.0 Outside
ssh x.x.x.0 255.255.255.0 Inside
ssh x.x.x.0 255.255.0.0 Inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server time-c.nist.gov
ntp server time-b.nist.gov
ntp server time-a.nist.gov
ssl trust-point ASDM_Launcher_Access_TrustPoint_1
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 Outside
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-4.1.08005-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.1.08005-k9.pkg 2
anyconnect profiles DUO-Client-Profile disk0:/duo-client-profile.xml
anyconnect enable
tunnel-group-list enable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
anyconnect profiles value DUO-Client-Profile type user
group-policy GroupPolicy_OUR_ORG-AnyConnect internal
group-policy GroupPolicy_OUR_ORG-AnyConnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Tunneled_Subnets
default-domain value iris-poc.dc
dynamic-access-policy-record DfltAccessPolicy
username admin xxxxxx privilege 15
username admin attributes
service-type admin
ssh authentication publickey 4b:95:73:4a:82:1d:ea:7a:43:e1:43:4f:fb:69:36:2d:90:48:3d:56:16:1a:82:f3:93:30:85:59:51:8f:1e:b8 hashed
username xxxx password xxxxx encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ACTIVE_DIRECTORY
secondary-authentication-server-group DUO-LDAP use-primary-username
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias & disable
group-alias DUO disable
group-alias DUO-LDAP enable
group-alias LDAP disable
tunnel-group OUR_ORG-AnyConnect type remote-access
tunnel-group OUR_ORG-AnyConnect general-attributes
address-pool SSLVPN-Pool
authentication-server-group ACTIVE_DIRECTORY
authentication-server-group (Outside) ACTIVE_DIRECTORY
default-group-policy GroupPolicy_OUR_ORG-AnyConnect
tunnel-group OUR_ORG-AnyConnect webvpn-attributes
group-alias OUR_ORG-AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect http
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 7
subscribe-to-alert-group configuration periodic monthly 7
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:427400fa6f2ef8b6f8e592993a576515
: end
ciscoasa#
11-17-2015 08:43 AM
Steve,
Given the ASA configuration, all traffic for cloud b would go via the outside interface. Is that the desired path? If so, you need an identity NAT (Exemption) for the VPN client pool for 'outside,outside'
11-17-2015 10:45 AM
Marvin,
Thanks for the tip. I'm not quite clear on the exact syntax I'd need to make this work. Would you mind telling me the exact command I'd need to enter?
I tried both of the below commands, but neither made any difference:
nat (Outside,Outside) source static NETWORK_OBJ_10.242.2.0_26 NETWORK_OBJ_10.242 .2.0_26 no-proxy-arp
nat (Outside,Outside) source static any any destination static NETWORK_OBJ_10.24 2.2.0_26 NETWORK_OBJ_10.242.2.0_26 no-proxy-arp
11-17-2015 08:59 PM
Try this syntax:
nat(Outside,Outside) source static NETWORK_OBJ_10.242.2.0_26 NETWORK_OBJ_10.242.2.0_26 destination static Remote-Subnet Remote-Subnet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide