Solved: Re: Need help routing anyconnect client traffic from ASA (9.6) through l2l VPN using PAT address

IFS · ‎10-05-2017

Hello, and thank you for any assistance.

We currently have a l2l VPN established from our ASA to a phone service provider where all traffic from our PAT address that is destined to the service provider's public addresses is tunneled. The phone service provider has whitelisted our PAT address for our account so all other IP's will not be allowed to access our account to prevent unencrypted phone calls.

We also have Anyconnect setup for remote users to access our internal network. We would like the Anyconnect clients to tunnel not only traffic to our internal network, but also the phone call traffic intended to reach the public IP addresses of the phone service provider.

To do this, I addeded the public addresses of the phone service provider (same as the l2l VPN interesting traffic) to the SPLIT ACL used for Anyconnect, but the phone service provider is not currently reachable when our users are connected to Anyconnect.

I believe this may be a NAT problem as the local pool used for the Anyconnect clients is not configured to use the PAT address for internet access.

I would apreciate any guidance on creating the correct nat rule if that's what is needed, or any other configuration changes that I may have missed. Thank you.

GioGonza · ‎10-05-2017

Hello @IFS,

This will be the example for the NAT statement, replace the object names with the ones you already have:

Step 1 Add a network object for the ACPool network:

hostname(config)# object network ACPool
hostname(config-network-object)# subnet x.x.x.x y.y.y.y

Step 2 Add a network object for the Remote End:

hostname(config)# object network RemoteEnd
hostname(config-network-object)# host <IP address>

Step 3 Add a network object for the PAT address:

hostname(config)# object network PATaddress1
hostname(config-network-object)# host 209.165.202.129

Step 4 Configure the first twice NAT rule:

hostname(config)# nat (outside,outside) source dynamic ACPool PATaddress1 destination static RemoteEnd RemoteEnd

Also keep in mind, you need to enable "same-security-traffic permit intra-interface", verify with "show run same-security-traffic".

HTH

Gio

View solution in original post

GioGonza · ‎10-05-2017

Hello @IFS,

The NAT should be (outside,outside) but you need to apply the correct configuration, one question... the Public IP address is from the interface of the ASA or is it something else?

Let me know so I can share with you the right NAT to accomplish this.

Gio

IFS · ‎10-05-2017

Hi Gio,

The PAT address associated with the l2l vpn is NOT an interface address of the ASA. It is strictly used to PAT our internal hosts.

GioGonza · ‎10-05-2017

Hello @IFS,

This will be the example for the NAT statement, replace the object names with the ones you already have:

Step 1 Add a network object for the ACPool network:

hostname(config)# object network ACPool
hostname(config-network-object)# subnet x.x.x.x y.y.y.y

Step 2 Add a network object for the Remote End:

hostname(config)# object network RemoteEnd
hostname(config-network-object)# host <IP address>

Step 3 Add a network object for the PAT address:

hostname(config)# object network PATaddress1
hostname(config-network-object)# host 209.165.202.129

Step 4 Configure the first twice NAT rule:

hostname(config)# nat (outside,outside) source dynamic ACPool PATaddress1 destination static RemoteEnd RemoteEnd

Also keep in mind, you need to enable "same-security-traffic permit intra-interface", verify with "show run same-security-traffic".

HTH

Gio

IFS · ‎10-05-2017

Thank you Gio.
The NAT configuration is exactly what I needed. I had the "same-security-traffic permit intra-interface" enabled already, but I was uncertain about the correct configuration for the NAT rules on the Anyconnect local pool addresses.

In case it's not clear to others, the object you listed as "RemoteEnd" is the interesting traffic for the l2l VPN, not the l2l peer address.