Re: Port forwarding Anyconnect VPN traffic?

Vignesh Ekanathan · ‎04-05-2018

Hi all,

I hope someone will be able to assist with the Anyconnect VPN issue that I am having at the moment.

I have 2 Cisco routers onsite. One is Cisco C867 and another one is Cisco 887 (old router used for internet and Anyconnect VPN).

The internet facing router is Cisco C867 and we just use Cisco 887 for Anyconnect VPN. Reason being, Cisco C867 doesn't support Anyconnect VPN.

I want to port forward Anyconnect VPN traffic to the Cisco 887 router. Is this possible?

The config of Cisco 887 router is given below:

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
aaa new-model
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group radius
aaa authentication login ciscocp_vpn_xauth_ml_2 group radius
aaa authentication login ciscocp_vpn_xauth_ml_3 group radius
aaa authorization exec default local
!
aaa session-id common
!
crypto pki trustpoint my-selfsigned-cert
enrollment selfsigned
revocation-check crl
rsakeypair self-signed
!
crypto pki trustpoint godaddy.trustpoint
enrollment terminal
fqdn vpn.xx
subject-name CN=xx
revocation-check crl
rsakeypair FMAVPN
!
crypto pki trustpoint godaddy.trustpoint2017-2018
enrollment terminal
fqdn vpn.xx
subject-name cN=xx
revocation-check crl
rsakeypair GDKey2017-2018
!
ip domain name xx
ip name-server xx
ip name-server xx
ip cef
no ipv6 cef
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
!
multilink bundle-name authenticated
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
license feature MEM-8XX-512U1GB
license udi pid C887VAM-K9 sn FGL193320G3
license accept end user agreement
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
controller VDSL 0
operating mode vdsl2
!
no ip ftp passive
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
!
interface Loopback0
ip address 172.20.23.254 255.255.255.0
ip virtual-reassembly in
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2
ip unnumbered Loopback0
!
interface Vlan1
description ***INTERNAL_INTERFACE***
ip address 192.168.30.251 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description *Exetel NBN*
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname
ppp chap password
ppp chap refuse
ppp pap sent-username
!
router rip
version 2
network 192.168.30.0
no auto-summary
!
ip local pool WebVPN_Pool 172.20.23.1 172.20.23.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 192.168.30.252 9000 interface Ethernet0 9000
ip nat inside source static tcp 192.168.30.252 85 interface Ethernet0 85
ip nat inside source static tcp 192.168.30.200 80 interface Ethernet0 80
ip nat inside source list 100 interface Ethernet0 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0
!
dialer-list 1 protocol ip permit
!
route-map IINET_NAT permit 10
match ip address 100
set interface Dialer0
!
access-list 100 deny ip 172.20.23.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
radius-server host 192.168.30.200 key
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway gateway_1
ip address 192.168.30.251 port 443
http-redirect port 80
ssl trustpoint godaddy.trustpoint2017-2018
inservice
!
no webvpn cef
!
webvpn context WebVPN
title "VPN Service"
secondary-color white
title-color #669999
text-color black
login-message "Welcome to company VPN
virtual-template 2
aaa authentication list ciscocp_vpn_xauth_ml_3
gateway gateway_1
!
ssl authenticate verify all
inservice
!
policy group policy_1
functions svc-enabled
svc address-pool "WebVPN_Pool" netmask 255.255.255.255
svc keep-client-installed
svc split include 192.168.30.0 255.255.255.0
svc dns-server primary 192.168.30.200
svc dns-server secondary 203.0.178.191
default-group-policy policy_1
!
end

Any help would be greatly appreciated.

Ta,

Vig.

Kind Regards, Vignesh.

Francesco Molino · ‎04-05-2018

Hi

First of all, there's something i missed.

You want to forward anyconnect ports groom 867 to 887?

The config you share is for 887 and it's has an internet link over pppoe.

If so why would you do a port forwarding?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

a.maldonado · ‎09-20-2018

Hi Francesco,

I havce a similar problem, only my VPN server is an ASA and the link between my router and the ASA is ethernet.

I have the following statement in my router:

ip nat inside source static udp 192.168.254.126 500 <public IP> 500 route-map REMOTE-ACCESS extendable

The route map has an ACL with the list of source addresses that hit this router on its public address on port 500 but that I do not want to forward because they are IPSec to other sites.

I have done tests and can see the requests getting to the ASA but the VPN client cannot connect. It just keep saying CONNECTING THE SECURITY GATEWAY AT <PUBLIC ADDRESS above>

The log in the ASA says; IGNORING IKE SA (src) without VM bit set

Any ideas will be much appreciated.

Rob Ingram · ‎09-20-2018

Hi,

You'll need to port forward udp4500 as well if natting.

HTH

a.maldonado · ‎09-29-2018

THe VPN client now connects but I had to do two things:

I had to change the public IP address in the nat statement for another one in the pool of public IP addresses given to us by our ISP.

So, if int G0/0 has IP address A.B.C.179/28, the ip in the nat statement changed to A.B.C.178, and so now it looks like this:

ip nat inside source static udp 192.168.254.126 500 A.B.C.178 500 route-map REMOTE-ACCESS extendable

Note: The route map helps me to exclude the public IP addresses for the L2L IPSecs but I may not need it now since these IPSecs get formed using A.B.C.179 and the VPN server can be found at A.B.C.178

The other thing I did, was to untick the Enable Transparent Tunneling box in the Transport tab of the VPN client properties window. Now it just says IPSec, instead of IPSEC/UDP. I am not sure if this is the correct way but it makes a connection with the VPN server and I get an IP address from the pool.

Now the problem is, I cannot browse the internal LAN. The LAN that is behind teh firewall.

You say I have to also forward port 4500, so will I have to statements as per below?

ip nat inside source static udp 192.168.254.126 500 A.B.C.178 500 route-map REMOTE-ACCESS extendable
ip nat inside source static udp 192.168.254.126 4500 A.B.C.178 4500 route-map REMOTE-ACCESS extendable

Please see my configs and a diagram.

Thank you for your time.

a.maldonado · ‎10-02-2018

RJI,

Thank you very much for your help.

Your suggestion fixed my problem.

So, my router facing the ISP must have the following two statements in order to forward the IKEv1 requests for connection to the VPN server, which is behind the router and once the client is authenticated and connected to browse the internal network, which has to be included in the ACL for splitTunnel.

ip nat inside source static udp 192.168.254.126 500 A.B.C.178 500 extendable
ip nat inside source static udp 192.168.254.126 4500 A.B.C.178 4500 extendable

I just don't know how to say you resolved it.

Francesco Molino · ‎09-20-2018

Is your router behind a Nat?
Can you share your configs please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

a.maldonado · ‎09-29-2018

Hi Francisco,

Sorry for the late reply but I went away on annual leave.

Ok, the situation has changed slighly.

THe VPN client now connects but I had to do two things:

I had to change the public IP address in the nat statement for another one in the pool of public IP addresses given to us by our ISP.

So, if int G0/0 has IP address A.B.C.179/28, the ip in the nat statement changed to A.B.C.178, and so now it looks like this:

ip nat inside source static udp 192.168.254.126 500 A.B.C.178 500 route-map REMOTE-ACCESS extendable

Note: The route map helps me to exclude the public IP addresses for the L2L IPSecs but I may not need it now since these IPSecs get formed using A.B.C.179 and the VPN server can be found at A.B.C.178

The other thing I did, was to untick the Enable Transparent Tunneling box in the Transport tab of the VPN client properties window. Now it just says IPSec, instead of IPSEC/UDP. I am not sure if this is the correct way but it makes a connection with the VPN server and I get an IP address from the pool.

Now the problem is, I cannot browse the internal LAN. The LAN that is behind the firewall.

I will really appreciate any suggestions.

Please see my configs and a diagram.

Thank you very much for your time.

Francesco Molino · ‎09-30-2018

If I get it right, you have now a L2L VPN between remote router and your firewall, am I right?
And you want to authorise this L2L remote subnet to access your LAN, still right?
If yes, you need to have the nat exemption statement with the right nameif because g0/0 leads you to multiple zones. Also you need to validate the crypto acl you're using has these subnets into it in case of split tunnelling

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

a.maldonado · ‎10-01-2018

Hi Francisco,

Thank you for your response.

The situaution has progressed a bit since I opened this discussion.

I can now port forward the VPN clients requests for connection to the ASA, which is the VPN server.

The problem I have now is that when users acces sthe VPN server they cannot browse the internal network, especifically the 10.0.0.0/24 which is setup for VLAN 10. The VPN clients get allocated an ip address from the correct pool 192.168.250.0/27). Please see attached packet traces.

The SplitTunnel standard ACL has the 10.0.0.0/8 and I can see it configured on the client's list of secured routes.

Note: All L2L IPSec to remote offices terminate at the router shown on the diagram, and they are not impacted by this issue. They were initially, which is why I opened this discussion, but with the new command ip nat inside command using an alternative Public address of A.B.C.178 this problem was resolved. Now I face the problem where I cannot browse my internal LAN.

I hope is clear, otherwise please let me know.

Thank you for your time.

Francesco Molino · ‎10-01-2018

The one failing is the interface on the asa.
For that you should use
Management-access SRVR

For the ip of your .15 machine it looks like ok. Does icmp against that machine from vpn works?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

a.maldonado · ‎10-02-2018

Francesco,

Thank you for your help but my problem has now been resolved. See my previous post.