05-02-2024 07:13 AM
Hi all,
I'm having trouble connecting to my AnyConnect VPN when connecting through an outside interface to an internal interface. I have publicly routable IPs configured on an internal interface, and want to connect using the interface address. This is the topology:
Internet -- ISR -- (172.12.12.0/30) -- ASA
Traffic comes in over the outside_isr (172.12.12.0/30) interface, destined for the svr_pub_2 interface address 81.187.XX.XX.
Logs show traffic coming in over outside_isr with error "failed to locate egress interface"
I'm not using any NAT.
interface GigabitEthernet0/5
nameif outside_isr
security-level 0
ip address 172.12.12.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif svr_pub_2
security-level 100
ip address 81.187.XX.XX 255.255.255.248
!
webvpn
port 444
enable inside_1
enable outside_isr
enable svr_pub_2
dtls port 444
...
Is this possible? I know it is not possible to ping from a far interface, and this is similar. Is there any workaround I can do on the ASA itself? At the moment I have a NAT on the ISR to allow me to connect to the outside_isr interface instead, but ideally want to get it working like this.
Thanks!
Solved! Go to Solution.
05-02-2024 08:55 AM
@joshdouch wrote:
Traffic comes in over the outside_isr (172.12.12.0/30) interface, destined for the svr_pub_2 interface address 81.187.XX.XX.
That won't work, you must connect to the closest interface (outside_isr), you cannot connect through the ASA to the ASA's far interface to establish a VPN. Therefore you'd either have to redesign the ASA configuration (public IP address on the outside) or use NAT on the router in front of the ASA.
HTH
05-02-2024 07:18 AM
Can I see show route in ASA
MHM
05-02-2024 07:23 AM
Gateway of last resort is 172.12.12.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 172.12.12.1, outside_isr
C 81.2.XX.XX 255.255.255.248 is directly connected, svr_pub
L 81.2.XX.XX 255.255.255.255 is directly connected, svr_pub
C 81.187.XX.XX 255.255.255.248 is directly connected, svr_pub_2
L 81.187.XX.XX 255.255.255.255 is directly connected, svr_pub_2
C 172.12.12.0 255.255.255.252 is directly connected, outside_isr
L 172.12.12.2 255.255.255.255 is directly connected, outside_isr
C 192.168.0.0 255.255.255.0 is directly connected, inside_1
L 192.168.0.1 255.255.255.255 is directly connected, inside_1
05-02-2024 08:36 AM
So you have ISR router and it NAT it public IP to ASA private IP use for anyconnect' and then user try connect to internal server use public IP.
With all of that and your routing table there is no issue
Do
Capture CAP interface <server interface> match ip <anyconnect subnet> <server public IP>
See if traffic is pass through server interface
MHM
05-02-2024 08:49 AM
Not quite. There is no NAT whatsoever (except the NAT i am using temporarily, but that is unrelated). The ISR can route the publicly routable IPs in the internal interface on the ASA - it is routing this over the 172.12.12.0/30. I have done a capture, and can see the traffic coming ingress outside_isr, but then says there is no egress route.
05-02-2024 08:52 AM - edited 05-02-2024 09:16 AM
the ISR dont see traffic inside the anyconnect VPN how can it route it?
the Anyconnect VPN end in ASA (OUTSIDE) and both Anyconnnect and Server direct connect to ASA and ASA route the traffic
the ISR is only NAT the public IP use by Anyconnect to 172.12.12.x of ASA
that it
MHM
05-02-2024 08:55 AM
@joshdouch wrote:
Traffic comes in over the outside_isr (172.12.12.0/30) interface, destined for the svr_pub_2 interface address 81.187.XX.XX.
That won't work, you must connect to the closest interface (outside_isr), you cannot connect through the ASA to the ASA's far interface to establish a VPN. Therefore you'd either have to redesign the ASA configuration (public IP address on the outside) or use NAT on the router in front of the ASA.
HTH
05-02-2024 09:12 AM
Ah thought that may be the case. Thank you!
05-02-2024 09:24 AM
sorry what you decide to do now?
change the asa outside ip to public and override the ISR or what?
thanks
MHM
05-02-2024 10:12 AM - edited 05-13-2024 04:17 PM
I think it would require too much redesign to put the public address range on the outside, so I am just going to have to put up with the NAT on the ISR:
ip nat inside source static tcp 172.16.12.2 444 interface Virtual-PPP9797 444
Edit: For clarification, the ISR has an additional public range, to which this would be NAT'd.
05-02-2024 10:19 AM
That right decision.
Port 444 for webvpn in asa abd static NAT' only virtual interface is not clear to me but anyway if it static IP not dhcp nor pppoe the it OK.
Thanks for update me.
Have a nice day
MHM
05-13-2024 04:17 PM
Yeah it is a bit of an odd setup - I am routing over an L2TP tunnel which routes some public subnets to me. Thanks again!
05-02-2024 10:25 AM
One last point
Add also udp 444 to your NAT for dtls' dtls is faster than tls.
Goodluck friend
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide