Re: Internal Network to AC VPN Client connectivity issue

srijan · ‎04-02-2020

Hello,

The Anyconnect VPN works fine when trying to access any of the internal networks. However, when traffic is sourced from an Internal network towards the VPN client, the connectivity is not successful. This solution is required to deploy some packages to the Anyconnect VPN client installed machines and none of the machines are reachable in the VPN pool from the Internal Network.

The output of traceroute from the internal network towards the AC VPN client reaches the Inside interface of the ASA VPN gateway and enters routing loop between the inside Interface of ASA and the L3 SW connected to the Inside interface.

ASA Routing table shows entries for the VPN clients as VPN host route(V) pointing Outside interface as exit.

Packet tracer on the inside interface with source as Internal network and destination as VPN pool IP results "Allow" with Input and Output interfaces as "Inside". That is the reason, the packet enters into the loop here.

Please let me know if anything is being overlooked here.

-Srijan

parviz · ‎04-03-2020

Hi,

1. Nat exemption

nat (inside,outside) source static inside-network inside-network destination static vpn-network vpn-network

2. What type routing are you using? dynamic or static? if static you must define it in your internal network pointing to vpn network.

srijan · ‎04-03-2020

Thank you for your reply.

1. NAT Exemption statement already exists

2. Static route. It is pointed to the ASA in which the AC is configured. That's the reason it reaches the ASA. However, it exits the ASA via the same Inside interface it entered from the Internal Network.

How to make ASA understand that this traffic is targeted towards the AC VPN clients is what we need to identify I believe. The VPN client routes are already populated in the ASA as and when users connects to the Anyconnect VPN. Each IP address from the VPN pool starts to populate in the ASA routing table.

I see them as follows:

V 10.10.10.5 255.255.255.255 connected by VPN (advertised), Outside

Assuming the VPN pool is 10.10.10.1-10.10.10.126 mask 255.255.255.128.

On a side note: In my previous environment, I have seen these routes (Anyconnect VPN Clients) populating as Static. What is the difference between these two (V and S) though both pointing to the AC VPN clients.

-Srijan

parviz · ‎04-03-2020

please share config of ASA with routing and vpn sections

Pulkit Saxena · ‎04-03-2020

Hi Srijan,

Please share your configuration, it seems that NAT statement is missing something and I believe you do not have a static route on ASA for Client IP pool, it is not needed, the route showing as "V" is fine.

-
Pulkit Saxena

srijan · ‎04-03-2020

Hello Pulkit,

You are right, the NAT statement was not correct.

Originally, it was:

nat (inside,any) source static inside_nw inside_nw destination static vpn_pool vpn_pool no-proxy-arp

The inside_nw object was not a broader subnet(which I initially assumed), so the internal network that was initiating the traffic was missing. Also, the route-lookup keyword was missing. Finally, replaced "any" with "outside" in the NAT command.

The correct NAT statement added now is:

nat (inside,outside) source static inside_nw_new inside_nw_new destination static vpn_pool vpn_pool no-proxy-arp route-lookup

Thank you again Parviz and Pulkit for insisting to re-validate the NAT statement.

-Srijan

parviz · ‎04-03-2020

you are welcome

Pulkit Saxena · ‎04-03-2020

Hi Srijan,

Thank you for taking out time to confirm and closing the thread. It always helps other people while they are looking for solutions.
Please do rate helpful posts as well.

-
Pulkit Saxena

Pulkit Saxena · ‎04-03-2020

Hi Srijan,

Ideally you don not need any specific configuration for this.

I believe you already have a NAT exempt and route is populated on it own.

1) Check if there is any firewall on local client not allowing the remote connection.

2) If the above is already fine, you can share your configuration and remote subnet details along with tunnel-group to which you are connecting.

Regards,

Pulkit Saxena