Solved: Re: NO CONNECTIVITY TO SOME INTERNAL NETWORKS THROUGH ANYCONNECT REMOTE VPN CONNECTION

isaaco001 · ‎12-08-2020

Dear Community,

I have an issue with reaching networks connected to my core switch through the remote vpn connection of remote user(please see topology attached). The vpn configuration is on the dc firewall and nating for "internet" done on the perimeter firewall.

How come I can reach networks(192.168.1.0/24) connected on the dc firewall but not the core switch(192.168.100.0/24)? Please assist. Thanks

Rob Ingram · ‎12-13-2020

@isaaco001

Your topology is confusing, but RAVPN traffic routed through the Perimeter firewall > core switch > DC firewall? I assumed Rv-4 was another ISP connection, the RAVPN was routed inbound via that router and the diagram was just incorrect.

RAVPN would need to hairpining - add the command same-security-traffic permit intra-interface to DC firewall.

The coreswitch still does not know how to return the 192.168.60.0/24 traffic, it only would route that traffic via the perimeter firewall 10.0.1.9 (it's default route).

Core switch routing, add the route in bold

ip route 0.0.0.0 0.0.0.0 10.0.1.9
ip route 192.168.1.0 255.255.255.0 10.0.1.1
ip route 192.168.60.0 255.255.255.0 10.0.1.1

You'd not normally route untrusted trafffic through your core switch to terminate on another firewall inside the network. You'd be better off running RAVPN on the perimeter firewall and use the DC firewall just to firewall traffic.

View solution in original post

Rob Ingram · ‎12-08-2020

Hi @isaaco001

Your diagram is incorrect? You've got Gi0/0 on the perimeter firewall connecting to the core switch, but the interface is shutdown. Gi0/2 says inside but is actually the DMZ.

interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 10.0.1.1 255.255.255.248
!
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0

isaaco001 · ‎12-08-2020

Rob,

Thanks for the response.

I put named the attachments the wrong way(vice-versa). I have re-uploaded with the correct names.

Regards,

Isaac.

Rob Ingram · ‎12-08-2020

Ok, I can see you've modified the configuration.

You don't have a static route on the perimeter firewall for the 192.168.100.0/24 network via 10.0.1.14.

You'll probably also need a NAT exemption rule to ensure traffic to/from the RAVPN to the 192.168.100.0/24 network is not unintentionally natted.

isaaco001 · ‎12-08-2020

Rob,

There is 192.168.100.0/24 network on the perimeter advertised via eigrp,please see the existing route

S* 0.0.0.0 0.0.0.0 [1/0] via 41.139.209.120, outside
C 41.139.209.0 255.255.255.128 is directly connected, outside
L 41.139.209.114 255.255.255.255 is directly connected, outside
S 192.168.1.0 255.255.255.0 [1/0] via 10.0.1.14, P2PTOCORE
D 192.168.100.0 255.255.255.0 [90/3072] via 10.0.1.14, 00:09:10, P2PTOCORE

I have added a nat exemption nat rule on the perimeter firewall as below,but I still cant reach internal networks.

!
object network LAN
subnet 192.168.100.0 255.255.255.0
!
object network VPNPOOL
subnet 192.168.60.0 255.255.255.0
!
nat (P2PTOCORE,outside) source static LAN LAN destination static VPNPOOL VPNPOOL
!

kindly advise,thanks for assistance so far.

Regards,

Isaac.

Rob Ingram · ‎12-08-2020

Right ok, so you terminate RAVPN on the DC Firewall, but internet access is via the Perimeter firewall.

It looks like you've pasted the incorrect routing tables in the configuration for the firewalls.

PerimeterFirewall file

AMC-DC-FW01(config-tunnel-webvpn)# sh route | b Gat
Gateway of last resort is 10.0.1.6 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.1.6, OUTSIDE
C 10.0.1.0 255.255.255.248 is directly connected, OUTSIDE
L 10.0.1.1 255.255.255.255 is directly connected, OUTSIDE
C 192.168.1.0 255.255.255.0 is directly connected, INSIDE
L 192.168.1.1 255.255.255.255 is directly connected, INSIDE
S 192.168.60.10 255.255.255.255 [1/0] via 10.0.1.6, OUTSIDE

AMC-DC-FW01(config-tunnel-webvpn)#

DCFirewall file

AMC-PTR-FW01(config)# sh route | b Gat
Gateway of last resort is 41.139.209.120 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 41.139.209.120, outside
D 10.0.1.0 255.255.255.248 [90/3072] via 10.0.1.14, 00:24:43, P2PTOCORE
C 10.0.1.8 255.255.255.248 is directly connected, P2PTOCORE
L 10.0.1.9 255.255.255.255 is directly connected, P2PTOCORE
C 10.10.10.0 255.255.255.0 is directly connected, AMC-DMZ-ZONE
L 10.10.10.1 255.255.255.255 is directly connected, AMC-DMZ-ZONE
C 41.139.209.0 255.255.255.128 is directly connected, outside
L 41.139.209.114 255.255.255.255 is directly connected, outside
S 192.168.1.0 255.255.255.0 [1/0] via 10.0.1.14, P2PTOCORE
D 192.168.100.0 255.255.255.0 [90/3072] via 10.0.1.14, 00:24:43, P2PTOCORE

AMC-PTR-FW01(config)#

DC Firewall does not have a static route to 192.168.100.0/24 nor EIGRP adjacency to the Core

Coreswitch does not have a static route to 192.168.60.0/24 nor EIGRP to DC Firewall, so therefore does not know how to route traffic back for 192.168.60.0/24 to DC Firewall, it would route the traffic to the Perimeter firewall instead (via the default route).

Coreswitch

AMC-CORE-SWTCH-01#
Gateway of last resort is 10.0.1.9 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.1.9
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.0.1.0/29 is directly connected, Vlan110
L 10.0.1.6/32 is directly connected, Vlan110
C 10.0.1.8/29 is directly connected, Vlan111
L 10.0.1.14/32 is directly connected, Vlan111
D 10.10.10.0/24 [90/3072] via 10.0.1.9, 00:23:32, Vlan111
41.0.0.0/25 is subnetted, 1 subnets
D 41.139.209.0 [90/3072] via 10.0.1.9, 00:23:32, Vlan111
S 192.168.1.0/24 [1/0] via 10.0.1.1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Vlan1
L 192.168.100.1/32 is directly connected, Vlan1
AMC-CORE-SWTCH-01#

isaaco001 · ‎12-08-2020

Rob,

Apologies for the mixup in the routing tables.I have re-uploaded with proper versions.

To clarify am only using eigrp between perimeter firewall and core switch.

There is a default route from dc firewall to core switch S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.1.6, OUTSIDE

Also what I find confusing is there is a route automatically generated when remote vpn is establlished and its added on the routing table of the dc firewall as shown

S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.1.6, OUTSIDE
C 10.0.1.0 255.255.255.248 is directly connected, OUTSIDE
L 10.0.1.1 255.255.255.255 is directly connected, OUTSIDE
C 192.168.1.0 255.255.255.0 isdirectly connected, INSIDE

L 192.168.1.1 255.255.255.255 is directly connected, INSIDE
S 192.168.60.10 255.255.255.255 [1/0] via 10.0.1.6, OUTSIDE

So if we have routes being created and pointing to the core-switch,then why would i create a route of 192.168.60.0/24 pointing to dc firewall?its kind of not clear....

I really appreciate your assistance,thanks,looking forward to your response.

Regards,

Isaac.

Rob Ingram · ‎12-08-2020

The routing table above is from the DC firewall not the core switch, it (the DC firewall) has a route to 192.168.60.10/32 that host is local to the firewall - I assume you had a VPN client connected with an active tunnel and assigned that IP address.

If you want a VPN client on 192.168.60.0/24 network to ping 192.168.100.0/24 then the DC firewall needs a route to 192.168.100.0/24 via the core switch. And the core switch needs a route to 192.168.60.0/24 via the DC firewall - without that route the core switch would not know to route that return traffic to the DC firewall and would instead route it via the perimeter firewall.

MHM Cisco World · ‎12-08-2020

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

route <if-name> 0.0.0.0 0.0.0.0 <gw> tunneled

this you need check link.

isaaco001 · ‎12-08-2020

MHM,

I have tried to configure the route on the dc firewall but i get the following error.

AMC-DC-FW01(config)# route outside 0.0.0.0 0.0.0.0 10.0.1.6 tunneled
ERROR: Tunnel default gateway specified exists in route table.
ERROR: Cannot add route entry, conflict with existing routes

Thanks for you assistance,looking forward to your reply.

Regards,

Isaac.

MHM Cisco World · ‎12-08-2020

Config GW the ip of link connect few to core,

and for return traffic as other mention config the subnet of pool back to fw or as example suggest config NAT.

Rob Ingram · ‎12-08-2020

@isaaco001

That's because the interface name would be the INSIDE interface not the outside. This command is used to specify a different default route for VPN clients. So instead of defining a static for 192.168.100.0/24 you can define a different default route for the VPN clients. However, you still need the next hop (the core switch) to know how to return the traffic, which it currently doesn't because it doesn't know to route 192.168.60.0/24 via the DC firewall.

isaaco001 · ‎12-13-2020

Rob,

This is very kind of confusing. Please elaborate more. From the previous post what you are trying to say is that i need a route to dc firewall i.e 192.168.60.0/24 next hop dc firewall AND on the dc firewall i need a route to internal network 192.168.100.0/24 next hop core switch?

Looking forward to your reply,thanks!

Regards,

Isaac.

Rob Ingram · ‎12-13-2020

@isaaco001

Your topology is confusing, but RAVPN traffic routed through the Perimeter firewall > core switch > DC firewall? I assumed Rv-4 was another ISP connection, the RAVPN was routed inbound via that router and the diagram was just incorrect.

RAVPN would need to hairpining - add the command same-security-traffic permit intra-interface to DC firewall.

The coreswitch still does not know how to return the 192.168.60.0/24 traffic, it only would route that traffic via the perimeter firewall 10.0.1.9 (it's default route).

Core switch routing, add the route in bold

ip route 0.0.0.0 0.0.0.0 10.0.1.9
ip route 192.168.1.0 255.255.255.0 10.0.1.1
ip route 192.168.60.0 255.255.255.0 10.0.1.1

You'd not normally route untrusted trafffic through your core switch to terminate on another firewall inside the network. You'd be better off running RAVPN on the perimeter firewall and use the DC firewall just to firewall traffic.

isaaco001 · ‎12-13-2020

Rob,

I can finally reach 192.168.100.0/24 network via vpn after adding the recommended commands and routing.

I however cant reach 192.168.1.0/24 directly attached to the dc firewall. I have attached the updated topology. Rv4 is a router representing internal server networks. The only internet connection is through the perimeter firewall. The naming of the zones at the dc firewall is confusing inside/outside,but they are all internal zones just different security levels.

I have attached the full updated dc configs and updated topology for your review!

Looking forward to your reply.

Regards,

Isaac.