Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1652
Views
10
Helpful
4
Replies

U Turn from Anyconnect clients to remote Site to Site VPN

Isynth
Level 1
Level 1

‎08-29-2018 10:20 AM - edited ‎03-12-2019 05:29 AM

Dear Community,

once again I am kindly asking for your guidance.

I am struggling to get an connection from the AnyConnect clients to the remote Site to Site VPN with an ASA in between.

 

Anyconnect Network 10.10.200.0 ---INTERNET----> ASA with internal network 10.10.110.0 connected ----INTERNET-----> remote l2l site 192.168.1.0

 

The connection from the Anyconnect clients to the 10.10.110 Network works fine

Also the Tunnel from the 10.10.110.0 Network to 192.168.1.1 Network works fine

 

The packets from the Anyconnect network get dropped by the firewall before it even reaches the icmp debug output on the asa if I try to ping the remote l2l site

 802.1Q vlan#100 P0 10.10.200.2 > 192.168.1.90: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

Packet tracer output for the same traffic:

packet-tracer input outside icmp 10.10.200.4 8 0 192.168.1.9$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.1.90/0 to 192.168.1.90/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internetOut in interface outside
access-list internetOut extended permit icmp any any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fbe11341bd0, priority=13, domain=permit, deny=false
        hits=16, user_data=0x7fbe09f39180, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp
Additional Information:
Static translate 10.10.200.4/0 to 10.10.200.4/0
 Forward Flow based lookup yields rule:
 in  id=0x7fbe109ff450, priority=6, domain=nat, deny=false
        hits=7022, user_data=0x7fbe10799630, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.10.200.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fbe0f8dbd40, priority=0, domain=nat-per-session, deny=true
        hits=248529, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fbe10576490, priority=0, domain=inspect-ip-options, deny=true
        hits=276998, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fbe13da5cf0, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=270, user_data=0x0, cs_id=0x7fbe11308520, reverse, flags=0x0, protocol=0
        src ip/id=10.10.200.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I have a global rule in place to permit all traffic from the Anyconnect VPN named Net_TrustedVPN

even if I put a global permit any any of all traffic the icmp packets get still dropped by the firewall.

further I added the rules for the SitetoSite Tunnel on the ASA

access-list l2l_list extended permit ip object Net_TrustedVPN object Net_DC

nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp

i cleared the ca but the acl entry doesn't show up?

 show crypto ipsec sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 10.10.100.1

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.200.2/255.255.255.255/0/0)
      current_peer: XXXXXXXX, username: aaaaa
      dynamic allocated peer ip: 10.10.200.2
      dynamic allocated peer ip(ipv6): 0.0.0.0

      local crypto endpt.: 10.10.100.1/4500, remote crypto endpt.: XXXXXXX/63481

    Crypto map tag: map_crypto_l2l, seq num: 1, local addr: 10.10.100.1

      access-list l2l_list extended permit ip 10.10.110.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.110.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: XXXXXXXX

I kindly appreciate any comments on this topic

Labels:
0 Helpful
4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

‎08-29-2018 10:48 AM

Can you share a santized version of all the relevant config (Anyconnect, crypto map etc)? 

 

Do you have Net_DC subnet as a part of your AnyConnect Split tunnel network list (if you are using split tunnel)? 

 

Also, change the NAT rule to below:

nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp route-lookup

 

Isynth
Level 1
Level 1
In response to Rahul Govindan

‎08-29-2018 11:08 AM

thank you for your quick answer

no split tunneling

changed the nat statement

please let me know if I missed relevant config

Net_DC = 192.168.1.0/24  remote l2l

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network Net_TrustedVPN
 nat (outside,outside) dynamic interface

nat (outside,outside) source static Net_DC Net_DC destination static Net_TrustedVPN Net_TrustedVPN no-proxy-arp route-lookup
nat (outside,TrustedIf) source static Net_TrustedVPN Net_TrustedVPN destination static Net_Trusted Net_Trusted no-proxy-arp
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp route-lookup
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_TrustedVPN Net_TrustedVPN

crypto map map_crypto_l2l 1 match address l2l_list
crypto map map_crypto_l2l 1 set pfs
crypto map map_crypto_l2l 1 set peer NET_DCIP
crypto map map_crypto_l2l 1 set ikev1 transform-set SetDC
crypto map map_crypto_l2l 1 set ikev2 ipsec-proposal secure
crypto map map_crypto_l2l 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map map_crypto_l2l interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 3600
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

webvpn
 port 555
 enable outside
 dtls port 556
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_USERIntern internal
group-policy GroupPolicy_USERIntern attributes
 wins-server none
 dns-server value XXXXXX
 vpn-filter none
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelall
 split-tunnel-network-list value TestVPNAcl
 default-domain none
 address-pools value trustedVPN
 client-firewall none
 client-access-rule none
 webvpn
  anyconnect profiles value USERIntern_client_profile type user

username USER attributes
 vpn-group-policy GroupPolicy_USERIntern
 service-type remote-access

tunnel-group  NET_DCIP type ipsec-l2l
tunnel-group  NET_DCIP ipsec-attributes
 ikev1 pre-shared-key *****

tunnel-group USERIntern type remote-access
tunnel-group USERIntern general-attributes
 address-pool trustedVPN
 default-group-policy GroupPolicy_USERIntern
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Isynth

‎08-29-2018 11:50 AM

Isn't this ACL incorrect?

 

access-list l2l_list extended permit ip object Net_TrustedVPN object Net_192.168.1.1

 "object Net_192.168.1.1" should ideally be "object Net_DC" . This only catches traffic to 192.168.1.1.

Isynth
Level 1
Level 1
In response to Rahul Govindan

‎08-29-2018 11:58 AM

yes you are right. In the original config it is Net_DC. I changed it for that post only. Sorry for causing confusion.

0 Helpful
Customers Also Viewed These Support Documents