01-29-2015 10:27 AM - edited 02-21-2020 08:03 PM
Hi Team,
I have a communication problem from the vpn-anyconnect to easy-vpn-remote, I´ll explain better bellow and see the attached
topology:
1) VPN Tunnel between HQ to Branch Office - That´s OK
2) VPN Tunnel between Client AnyConnect to HQ - That´s OK
The idea is that the Client Anyconnect is to reach the LAN at Branch Office, but did not reach.
The communication is stablished just when I start a session (icmp and/or rdp) from Branch Office to the Client AnyConnect,
in this way, the communication is OK, but just during a few minutes.
Could you help me?
Bellow the IOS version and configurations
ASA5505 Version 8.4(7)23 (headquarters)
ASA5505 Version 8.4(7)23 (Branch)
**************** Configuration Easy VPN Server (HQ) ****************
crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-link-2_map 1 ipsec-isakmp dynamic DYNAMIC-MAP
crypto map outside-link-2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-link-2_map interface outside-link-2
access-list ACL_EZVPN standard permit 10.0.0.0 255.255.255.0
access-list ACL_EZVPN standard permit 192.168.1.0 255.255.255.0
access-list ACL_EZVPN standard permit 192.168.50.0 255.255.255.0
access-list ACL_EZVPN standard permit 10.10.0.0 255.255.255.0
group-policy EZVPN_GP internal
group-policy EZVPN_GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_EZVPN
nem enable
tunnel-group EZVPN_TG type remote-access
tunnel-group EZVPN_TG general-attributes
default-group-policy EZVPN_GP
tunnel-group EZVPN_TG ipsec-attributes
ikev1 pre-shared-key *****
object-group network Obj_VPN_anyconnect-local
network-object 192.168.1.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
network-object 192.168.1.0 255.255.255.0
network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
network-object 10.0.0.0 255.255.255.0
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination
NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static
NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup
**************** Configuration VPN AnyConnect (HQ) ****************
webvpn
enable outside-link-2
default-idle-timeout 60
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles Remote_Connection_for_TS_Users disk0:/remote_connection_for_ts_users.xml
anyconnect enable
tunnel-group-list enable
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.15.0 255.255.255.0
access-list split-tunnel standard permit 10.0.0.0 255.255.255.0
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server none
dns-server value 192.168.1.41
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value ipconnection.com.br
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect profiles value Remote_Connection_for_TS_Users type user
anyconnect ask none default anyconnect
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
authentication-server-group DC03
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias IPConnection-vpn-anyconnect enable
object-group network Obj_VPN_anyconnect-local
network-object 192.168.1.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
network-object 192.168.1.0 255.255.255.0
network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
network-object 10.0.0.0 255.255.255.0
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination
NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static
NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup
Solved! Go to Solution.
01-30-2015 02:33 AM
Hi,
the communication works when you send traffic from easyvpn branch side because it froms the IPSEC SA for local subnet and anyconnect HQ pool. The SA will only form when branch initiates the connection as this is dynamic peer connection to HQ ASA.
when there no SA between branch and HQ for this traffic, HQ ASA has no clue about where to send the traffic from anyconnect to branch network.
I hope it explains the cause.
Regards,
Abaji.
01-30-2015 02:33 AM
Hi,
the communication works when you send traffic from easyvpn branch side because it froms the IPSEC SA for local subnet and anyconnect HQ pool. The SA will only form when branch initiates the connection as this is dynamic peer connection to HQ ASA.
when there no SA between branch and HQ for this traffic, HQ ASA has no clue about where to send the traffic from anyconnect to branch network.
I hope it explains the cause.
Regards,
Abaji.
02-03-2015 06:26 AM
Hi Abaji Rawool,
Thank you very much for the explanation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: