Solved: Connecting to AnyConnect externally to internal interface

joshdouch · ‎05-02-2024

Hi all,

I'm having trouble connecting to my AnyConnect VPN when connecting through an outside interface to an internal interface. I have publicly routable IPs configured on an internal interface, and want to connect using the interface address. This is the topology:

Internet -- ISR -- (172.12.12.0/30) -- ASA

Traffic comes in over the outside_isr (172.12.12.0/30) interface, destined for the svr_pub_2 interface address 81.187.XX.XX.

Logs show traffic coming in over outside_isr with error "failed to locate egress interface"

I'm not using any NAT.

interface GigabitEthernet0/5
 nameif outside_isr
 security-level 0
 ip address 172.12.12.2 255.255.255.252
!

interface GigabitEthernet0/1
 nameif svr_pub_2
 security-level 100
 ip address 81.187.XX.XX 255.255.255.248
!

webvpn
 port 444
 enable inside_1
 enable outside_isr
 enable svr_pub_2
 dtls port 444
...

Is this possible? I know it is not possible to ping from a far interface, and this is similar. Is there any workaround I can do on the ASA itself? At the moment I have a NAT on the ISR to allow me to connect to the outside_isr interface instead, but ideally want to get it working like this.

Thanks!

Rob Ingram · ‎05-02-2024

@joshdouch

@joshdouch wrote:

Traffic comes in over the outside_isr (172.12.12.0/30) interface, destined for the svr_pub_2 interface address 81.187.XX.XX.

That won't work, you must connect to the closest interface (outside_isr), you cannot connect through the ASA to the ASA's far interface to establish a VPN. Therefore you'd either have to redesign the ASA configuration (public IP address on the outside) or use NAT on the router in front of the ASA.

HTH

View solution in original post

MHM Cisco World · ‎05-02-2024

Can I see show route in ASA

MHM

joshdouch · ‎05-02-2024

Gateway of last resort is 172.12.12.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 172.12.12.1, outside_isr
C 81.2.XX.XX 255.255.255.248 is directly connected, svr_pub
L 81.2.XX.XX 255.255.255.255 is directly connected, svr_pub
C 81.187.XX.XX 255.255.255.248 is directly connected, svr_pub_2
L 81.187.XX.XX 255.255.255.255 is directly connected, svr_pub_2
C 172.12.12.0 255.255.255.252 is directly connected, outside_isr
L 172.12.12.2 255.255.255.255 is directly connected, outside_isr
C 192.168.0.0 255.255.255.0 is directly connected, inside_1
L 192.168.0.1 255.255.255.255 is directly connected, inside_1

MHM Cisco World · ‎05-02-2024

So you have ISR router and it NAT it public IP to ASA private IP use for anyconnect' and then user try connect to internal server use public IP.

With all of that and your routing table there is no issue

Do

Capture CAP interface <server interface> match ip <anyconnect subnet> <server public IP>

See if traffic is pass through server interface

MHM

joshdouch · ‎05-02-2024

Not quite. There is no NAT whatsoever (except the NAT i am using temporarily, but that is unrelated). The ISR can route the publicly routable IPs in the internal interface on the ASA - it is routing this over the 172.12.12.0/30. I have done a capture, and can see the traffic coming ingress outside_isr, but then says there is no egress route.

MHM Cisco World · ‎05-02-2024

the ISR dont see traffic inside the anyconnect VPN how can it route it?
the Anyconnect VPN end in ASA (OUTSIDE) and both Anyconnnect and Server direct connect to ASA and ASA route the traffic
the ISR is only NAT the public IP use by Anyconnect to 172.12.12.x of ASA
that it

MHM

Rob Ingram · ‎05-02-2024

@joshdouch

@joshdouch wrote:

Traffic comes in over the outside_isr (172.12.12.0/30) interface, destined for the svr_pub_2 interface address 81.187.XX.XX.

That won't work, you must connect to the closest interface (outside_isr), you cannot connect through the ASA to the ASA's far interface to establish a VPN. Therefore you'd either have to redesign the ASA configuration (public IP address on the outside) or use NAT on the router in front of the ASA.

HTH

joshdouch · ‎05-02-2024

Ah thought that may be the case. Thank you!

MHM Cisco World · ‎05-02-2024

sorry what you decide to do now?
change the asa outside ip to public and override the ISR or what?

thanks

MHM

joshdouch · ‎05-02-2024

I think it would require too much redesign to put the public address range on the outside, so I am just going to have to put up with the NAT on the ISR:

ip nat inside source static tcp 172.16.12.2 444 interface Virtual-PPP9797 444

Edit: For clarification, the ISR has an additional public range, to which this would be NAT'd.

MHM Cisco World · ‎05-02-2024

That right decision.

Port 444 for webvpn in asa abd static NAT' only virtual interface is not clear to me but anyway if it static IP not dhcp nor pppoe the it OK.

Thanks for update me.

Have a nice day

MHM

joshdouch · ‎05-13-2024

Yeah it is a bit of an odd setup - I am routing over an L2TP tunnel which routes some public subnets to me. Thanks again!

MHM Cisco World · ‎05-02-2024

One last point

Add also udp 444 to your NAT for dtls' dtls is faster than tls.

Goodluck friend

MHM