04-19-2023 03:30 PM
Hey,
I have set multi tunnels between few ASA's + Anyconnect VPN gateway on the 'main' ASA with public IP (lets say 150.1.0.1)
I can communicate between the remote locations, connect to the VPN via my laptop, and communicate with all locations.
I would like to access the management (ASDM\SSH) via my laptop when connected to the VPN.
I have set the static IP in the ACL of the GroupPolicy. Created rule for SSH+HTTPS connection via the pool IP set in the VPN (lets say 10.22.0.0/24)
I can confirm the VPN is routing the static IP address, but no success when trying to login via SSH\HTTPS.
I tried to ping the static IP via my laptop, and I can see in the syslog the ICMP is from my ISP IP address and not the VPN address.
Any suggestion what else I could have missed?
*I can login to SSH+HTTPS via one of my remote locations, (via the tunnel)
Thank you
04-19-2023 03:41 PM
04-20-2023 01:31 AM
Hi,
I have followed this guide, and done most of it, but still can't get it work or any idea of might I am missing.
04-20-2023 01:36 AM
@gal.avichid if you want to manage the ASA over the VPN have you configured management-access <interface> ? https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.pdf
You also need to ensure you permit HTTP/SSH from the IP pool network:-
ssh <ip pool network> <netmask> <interface>
http <ip pool network> <netmask> <interface>
04-20-2023 01:55 AM
Hi @Rob Ingram
Both of the configurations are made, still can't connect via the VPN.
I do can access via one of the environment with the tunnel.
I have one interface in the main ASA (outside) which I allowed the management-access to that interface and add the pool ip.
I feel my main issue is when im trying to reach the main ASA with its static IP, its going via my public IP and not via the pool-ip i get in the VPN.
04-20-2023 02:01 AM
@gal.avichid wrote:
Hi @Rob Ingram
I feel my main issue is when im trying to reach the main ASA with its static IP, its going via my public IP and not via the pool-ip i get in the VPN.
@gal.avichid sounds like you may need to create a NAT exemption rule then, to ensure that traffic is not translated.
nat (outside,outside) source static POOL POOL destination static REMOTE REMOTE
If you still have a problem, you may want to run packet-tracer from the CLI and provide the output.
04-20-2023 02:23 AM
can I see the final config ?
thanks
MHM
04-24-2023 03:03 AM
Hi @gal.avichid
I think i could help you with this problem . Have below ask in regards to the same
ASA version
Anyconnect Version
Which Interface Ip are you trying to use for ASDM/SSH ?
04-24-2023 01:42 PM
@Rob Ingram I have tried to add that lines, still same result
@MHM Cisco World see attached
@Salman Mahajan I dont think the problem is there.
I have connected another client via the anyconnect VPN, (10.22.0.1 + 10.22.0.2) the 2 hosts can ping eachother, but I cant ping the hosts from the ASA. I guess i am missing something, just not sure what.
04-24-2023 01:57 PM
are sure this config is complete there is many commands missing for anyconnect
04-24-2023 02:38 PM
04-28-2023 12:19 AM
Small update,
I have added NAT and now I can ping from the FW, the clients connecting to the VPN.
nat (outside,outside) source static NETWORK_OBJ_PUBLIC_IP NETWORK_OBJ_PUBLIC_IP destination static OBJ_vpn_pool_ip OBJ_vpn_pool_ip no-proxy-arp route-lookup
I am still not able to SSH to the FW, when the rule 'ssh 10.78.0.0 255.255.255.0 outside' is set, and when i am connected to the VPN.
I am using split-tunnel, and set the subnet 10.78.0.0/24 to be directed via the VPN.
04-29-2023 03:40 AM
@gal.avichid What is the ASA version ?
With the above NAT statement configured on Firewall, are you still unable to ping/ASDM/SSH the outside ip address of FW via RA-VPN ? Does Network object " OBJ_vpn_poo_ip" contains 10.78.0.0/24 subnet ?
Please share below output here
ciscoasa# show vpn-sessiondb anyconnect filter name < username >
ciscoasa# packet-tracer input outside icmp < anyconnectip > 8 0 <outsideip> detailed
04-29-2023 10:15 AM - edited 04-29-2023 10:17 AM
Hi Salman
ASA Version: 9.8(2)
OBJ_vpn_pool_ip = 10.78.0.0/24
When I am connected to the VPN from my laptop, and ping the IP of the VPN (Which is the remote-ip) I can still see the ICMP from my local internet IP (77.251.*.*). I guess there is something wrong with the translation? therefore when I set SSH connection via 10.78.*.* its not accepting as the ASA receiving the request from 77.251.*.*
Here is the outputs:
Result of the command: "show vpn-sessiondb anyconnect filter name GAL"
Session Type: AnyConnect
Username : GAL Index : 63914
Assigned IP : 10.78.0.2 Public IP : 77.251.*.*
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 52258 Bytes Rx : 74324
Group Policy : GroupPolicy_VPN
Tunnel Group : VPN
Login Time : 19:05:34 CEDT Fri Apr 28 2023
Duration : 0h:01m:41s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 9d6177120f9aa000644bfcde
Security Grp : none
Result of the command: "packet-tracer input outside icmp REMOTE-IP 8 0 REMOTE-IP detailed"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop REMOTE-IP using egress ifc identity
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
04-29-2023 10:21 AM
Friend yoh access via anyconnect and success'
Now you want to ssh to asa through anyconnect so what you need is
Ssh 0.0.0.0 0.0.0.0 mgmt
!
Management access
Outside
This will make you ssh to mgmt interface through anyconnect vpn.
You can not ssh to outside since the anyconnect is end in this interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide