Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
10
Helpful
8
Replies

Internal Network to AC VPN Client connectivity issue

srijan
Level 1
Level 1

‎04-02-2020 11:08 PM

Hello,

 

The Anyconnect VPN works fine when trying to access any of the internal networks. However, when traffic is sourced from an Internal network towards the VPN client, the connectivity is not successful. This solution is required to deploy some packages to the Anyconnect VPN client installed machines and none of the machines are reachable in the VPN pool from the Internal Network.

 

The output of traceroute from the internal network towards the AC VPN client reaches the Inside interface of the ASA VPN gateway and enters routing loop between the inside Interface of ASA and the L3 SW connected to the Inside interface.

ASA Routing table shows entries for the VPN clients as VPN host route(V) pointing Outside interface as exit.

 

Packet tracer on the inside interface with source as Internal network and destination as VPN pool IP results "Allow" with Input and Output interfaces as "Inside". That is the reason, the packet enters into the loop here.

 

Please let me know if anything is being overlooked here.

 

-Srijan

Labels:
0 Helpful
8 Replies 8

parviz
Level 1
Level 1

‎04-03-2020 01:29 AM

Hi,

 

1. Nat exemption

 

nat (inside,outside) source static inside-network inside-network destination static vpn-network vpn-network

 

2. What type routing are you using? dynamic or static? if static you must define it in your internal network pointing to vpn network.

 

srijan
Level 1
Level 1
In response to parviz

‎04-03-2020 02:00 AM

Thank you for your reply.

 

1. NAT Exemption statement already exists

2. Static route. It is pointed to the ASA in which the AC is configured. That's the reason it reaches the ASA. However, it exits the ASA via the same Inside interface it entered from the Internal Network.  

 

How to make ASA understand that this traffic is targeted towards the AC VPN clients is what we need to identify I believe. The VPN client routes are already populated in the ASA as and when users connects to the Anyconnect VPN. Each IP address from the VPN pool starts to populate in the ASA routing table. 

 

I see them as follows:

 

V        10.10.10.5 255.255.255.255 connected by VPN (advertised), Outside 

 

Assuming the VPN pool is 10.10.10.1-10.10.10.126 mask 255.255.255.128.

 

On a side note: In my previous environment, I have seen these routes (Anyconnect VPN Clients) populating as Static. What is the difference between these two (V and S) though both pointing to the AC VPN clients.

 

-Srijan  

 

 

0 Helpful

parviz
Level 1
Level 1
In response to srijan

‎04-03-2020 02:37 AM

please share config of ASA with routing and vpn sections

0 Helpful

Pulkit Saxena
Cisco Employee
Cisco Employee
In response to srijan

‎04-03-2020 03:34 AM

Hi Srijan,

Please share your configuration, it seems that NAT statement is missing something and I believe you do not have a static route on ASA for Client IP pool, it is not needed, the route showing as "V" is fine.

-
Pulkit Saxena

srijan
Level 1
Level 1
In response to Pulkit Saxena

‎04-03-2020 05:18 AM

Hello Pulkit,

 

You are right, the NAT statement was not correct.

 

Originally, it was:

nat (inside,any) source static inside_nw inside_nw destination static vpn_pool vpn_pool no-proxy-arp

 

The inside_nw object was not a broader subnet(which I initially assumed), so the internal network that was initiating the traffic was missing. Also, the route-lookup keyword was missing. Finally, replaced "any" with "outside" in the NAT command.

 

The correct NAT statement added now is:

 

nat (inside,outside) source static inside_nw_new inside_nw_new destination static vpn_pool vpn_pool no-proxy-arp route-lookup

 

Thank you again Parviz and Pulkit for insisting to re-validate the NAT statement.

 

-Srijan 

0 Helpful

parviz
Level 1
Level 1
In response to srijan

‎04-03-2020 05:30 AM

you are welcome

0 Helpful

Pulkit Saxena
Cisco Employee
Cisco Employee
In response to srijan

‎04-03-2020 07:36 AM

Hi Srijan,

Thank you for taking out time to confirm and closing the thread. It always helps other people while they are looking for solutions.
Please do rate helpful posts as well.

-
Pulkit Saxena
0 Helpful

Pulkit Saxena
Cisco Employee
Cisco Employee

‎04-03-2020 02:04 AM

Hi Srijan,

 

Ideally you don not need any specific configuration for this.

I believe you already have a NAT exempt and route is populated on it own. 

 

1) Check if there is any firewall on local client not allowing the remote connection.

2) If the above is already fine,  you can share your configuration and remote subnet details along with tunnel-group to which you are connecting.

 

Regards,

Pulkit Saxena

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents