Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1744
Views
30
Helpful
9
Replies

Routing between an SSL VPN Subnet and the LAN subnet

Go to solution
InquiringTech
Level 1
Level 1

‎08-23-2022 12:56 PM

Hi,

We set up AnyConnect and created a subnet for those who connect in from outside the network. This subnet and its DHCP pool and different from the main LAN subnet for the local network that we want people to be able to access. I thought I set up static routes on the ASA between the subnets but I'm not sure I did it right, since I can't ping between them. I also did so on the connected L3 switch stack where the LAN subnets are.

For example 10.10.38.0 /24 is the VPN subnet pool and 10.10.36.0 /24 is the main data pool for the local office network that contains the computers remote users would need to connect to (via RDP or some other method like SSH). How do I get these talking to each other? Is it a configuration on the ASA itself? The .36.0 subnet is on the switch and I used the appropriate next hop interface of 1.1.1.3 to get there from the FirePower.

Where does the SSL VPN subnet actually reside, since unlike other networks it isn't linked to a physical connection between ports? I feel like that's what's throwing me off a bit here when setting the static routes with next hops and such. 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to InquiringTech

‎08-24-2022 01:44 PM

@InquiringTech if you are connected to the RAVPN then your traffic originates from the ASA, as your traffic is tunneled from the laptop to the ASA. So you'd only see the hops after the ASA.

If you have performance issues, just check you are using the best configuration regarding the RAVPN. Use DTLS 1.2 or IKEv2/IPSec and AnyConnect 4.7+ (which introduced DTLS 1.2 support), ideally use the latest version.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎08-23-2022 01:02 PM - edited ‎08-23-2022 01:19 PM

@InquiringTech You probably need a NAT exemption rule, to ensure traffic between the RAVPN network and the LAN network is not unintentially translated. The example below would ensure traffic between the INSIDE and RAVPN networks are not subject to NAT.

object network INSIDE-NET
 subnet 10.10.36.0 255.255.255.0
object network RAVPN-NET
 subnet 10.10.38.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static INSIDE-NET INSIDE-NET destination static RAVPN-NET RAVPN-NET

The RAVPN network resides on the OUTSIDE interface of the ASA.

The switch needs a default route via the ASA's INSIDE interface (or Firepower, you mentioned both, which are you using?) - which would route to the RAVPN network.

The ASA needs routes for all the internal networks on the core switch via it's INSIDE and obviously a default route via the internet router.

 

Go to solution
InquiringTech
Level 1
Level 1
In response to Rob Ingram

‎08-23-2022 02:22 PM

Thanks I'll try that out.

Well the ASA is on the FirePower 1140. To be honest I'm more familiar with configuration on regular Cisco routers and switches rather than specific firewall commands, and this includes NATing as well.

We have:

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network 10.0.0.0_8
subnet 10.0.0.0 255.0.0.0

object network SSL-VPN
subnet 10.10.38.0 255.255.255.0

access-list inside_access_in extended permit ip object 10.0.0.0_8 any
access-list Only_Internet_access_in extended permit ip object 10.0.0.0_8 any

nat (any,outside) source static any any destination static SSL-VPN SSL-VPN

!
object network obj_any
nat (any,outside) dynamic interface dns

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Only_Internet_access_in in interface Only_Internet
route outside 0.0.0.0 0.0.0.0 (xxx.xxx.xxx.xxx) 1
route inside 10.0.0.0 255.0.0.0 1.1.1.2 1
route inside 10.10.35.0 255.255.255.0 1.1.1.3 1
route inside 10.10.36.0 255.255.255.0 1.1.1.3 1
route inside 10.10.38.0 255.255.255.0 1.1.1.3 1

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to InquiringTech

‎08-24-2022 02:42 AM

route inside 10.10.38.0 255.255.255.0 1.1.1.3 1 <<- this no need the Anyconnect appear as direct connect to ASA 

Go to solution
InquiringTech
Level 1
Level 1
In response to MHM Cisco World

‎08-24-2022 01:00 PM

You're right, that is a superfluous route, and it's been removed.

Go to solution
Rob Ingram
VIP
VIP
In response to InquiringTech

‎08-24-2022 01:13 PM - edited ‎08-24-2022 01:29 PM

@InquiringTech is it working now after removing that route? If it is still not working run packet-tracer from the CLI to simulate the traffic flow from a RAVPN user to the inside network and provide the output.

Are your other routes correct? You've got different next hop IP address, surely the next hop is the core switch?

route inside 10.0.0.0 255.0.0.0 1.1.1.2 1
route inside 10.10.35.0 255.255.255.0 1.1.1.3 1
route inside 10.10.36.0 255.255.255.0 1.1.1.3 1
route inside 10.10.38.0 255.255.255.0 1.1.1.3 1

 

Go to solution
InquiringTech
Level 1
Level 1
In response to Rob Ingram

‎08-24-2022 01:39 PM

I figured it out. It didn't even have to do with the Cisco config on the ASA, apparently the local Windows firewalls on the computers I was trying to ping disabled ICMP, even though that normally isn't set for our computers so I took it for granted. Sorry for all that... *grins sheepishly*.

Unfortunately setting up the local AnyConnect node doesn't seem to have improved the speed of the connection much at all. Seems like it takes just as long to do things as when it is routed through the other end of the country at our HQ, via a DMVPN connection and an AnyConnect node over there. And I'm testing from literally the same building, just a different network, in this case the public WiFi, and it's still as slow as if I was somewhere much further. What's the best way to see the full path it takes for each hop when using the SSL RAVPN from a given remote location? Tracert only shows the part after its been nat'd on the ASA I believe.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to InquiringTech

‎08-24-2022 01:44 PM

@InquiringTech if you are connected to the RAVPN then your traffic originates from the ASA, as your traffic is tunneled from the laptop to the ASA. So you'd only see the hops after the ASA.

If you have performance issues, just check you are using the best configuration regarding the RAVPN. Use DTLS 1.2 or IKEv2/IPSec and AnyConnect 4.7+ (which introduced DTLS 1.2 support), ideally use the latest version.

0 Helpful

Go to solution
InquiringTech
Level 1
Level 1
In response to Rob Ingram

‎08-25-2022 07:55 AM

I followed your advice and it does seem somewhat faster now, thanks.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎08-23-2022 01:37 PM - edited ‎08-23-2022 01:54 PM

Case 1
Anyconnect-ASA-L3SW-Local LAN 
here you need to add static route in ASA for Local LAN point toward L3SW 
also you need to add static route in L3SW for Anyconnect Pool point toward ASA interface 

or 
Case 2
Anyconnect-ASA-L2SW-Local LAN 
No need any static route since the Local LAN and Anyconnect have same GW which is ASA 

Customers Also Viewed These Support Documents