cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
2
Replies

Communication problem from the vpn-anyconnect to easy-vpn-remote

Hi Team,

I have a communication problem from the vpn-anyconnect to easy-vpn-remote, I´ll explain better bellow and see the attached
topology:

1) VPN Tunnel between HQ to Branch Office - That´s OK
2) VPN Tunnel between Client AnyConnect to HQ - That´s OK

The idea is that the Client Anyconnect is to reach the LAN at Branch Office, but did not reach.
The communication is stablished just when I start a session (icmp and/or rdp) from Branch Office to the Client AnyConnect,
in this way, the communication is OK, but just during a few minutes.

Could you help me?
Bellow the IOS version and configurations

ASA5505 Version 8.4(7)23 (headquarters)
ASA5505 Version 8.4(7)23 (Branch)

**************** Configuration Easy VPN Server (HQ) **************** 

crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-link-2_map 1 ipsec-isakmp dynamic DYNAMIC-MAP
crypto map outside-link-2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-link-2_map interface outside-link-2

access-list ACL_EZVPN standard permit 10.0.0.0 255.255.255.0 
access-list ACL_EZVPN standard permit 192.168.1.0 255.255.255.0 
access-list ACL_EZVPN standard permit 192.168.50.0 255.255.255.0 
access-list ACL_EZVPN standard permit 10.10.0.0 255.255.255.0 

group-policy EZVPN_GP internal
group-policy EZVPN_GP attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_EZVPN
 nem enable 
tunnel-group EZVPN_TG type remote-access
tunnel-group EZVPN_TG general-attributes
 default-group-policy EZVPN_GP
tunnel-group EZVPN_TG ipsec-attributes
 ikev1 pre-shared-key *****

object-group network Obj_VPN_anyconnect-local
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
 network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
 network-object 192.168.1.0 255.255.255.0
 network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
 network-object 10.0.0.0 255.255.255.0
 
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-

anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination 

NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static 

NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup

**************** Configuration VPN AnyConnect (HQ) **************** 

webvpn
 enable outside-link-2
 default-idle-timeout 60
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles Remote_Connection_for_TS_Users disk0:/remote_connection_for_ts_users.xml
 anyconnect enable
 tunnel-group-list enable

access-list split-tunnel standard permit 192.168.1.0 255.255.255.0 
access-list split-tunnel standard permit 192.168.15.0 255.255.255.0 
access-list split-tunnel standard permit 10.0.0.0 255.255.255.0 

group-policy clientgroup internal
group-policy clientgroup attributes
 wins-server none
 dns-server value 192.168.1.41
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value ipconnection.com.br
 webvpn       
  anyconnect keep-installer installed
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect profiles value Remote_Connection_for_TS_Users type user
  anyconnect ask none default anyconnect

tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
 address-pool vpnpool
 authentication-server-group DC03
 default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
 group-alias IPConnection-vpn-anyconnect enable

object-group network Obj_VPN_anyconnect-local
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
 network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
 network-object 192.168.1.0 255.255.255.0
 network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
 network-object 10.0.0.0 255.255.255.0
 
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-

anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination 

NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static 

NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup

1 Accepted Solution

Accepted Solutions

Abaji Rawool
Level 3
Level 3

Hi,

the communication works when you send traffic from easyvpn branch side because it froms the IPSEC SA for local subnet and anyconnect HQ pool. The SA will only form when branch initiates the connection as this is dynamic peer connection to HQ ASA.

when there no SA between branch and HQ for this traffic, HQ ASA has no clue about where to send the traffic from anyconnect to branch network.

I hope it explains the cause.

Regards,

Abaji.

 

 


 

View solution in original post

2 Replies 2

Abaji Rawool
Level 3
Level 3

Hi,

the communication works when you send traffic from easyvpn branch side because it froms the IPSEC SA for local subnet and anyconnect HQ pool. The SA will only form when branch initiates the connection as this is dynamic peer connection to HQ ASA.

when there no SA between branch and HQ for this traffic, HQ ASA has no clue about where to send the traffic from anyconnect to branch network.

I hope it explains the cause.

Regards,

Abaji.

 

 


 

Hi Abaji Rawool,

Thank you very much for the explanation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: