Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1458
Views
5
Helpful
11
Replies

Unable to access remote servers using VPN

sagarshaha
Level 1
Level 1

‎02-25-2016 09:42 PM

Hi,I have Cisco ASA 5505 and have configured site-to-site vpn from local office to AWS cloud. Site-to-site works fine and I can access the servers without any issues. I have also implemented Cisco AnyConnect client profiles where my users can connect to Cisco ASA from outside office network or home and they should be able to access servers located in cloud. It was working fine  earlier but somehow it stopped working from last 2 days...I have added AWS cloud networkist into Split tunneling and when i connect Cisco AnyConnect VPN client and see route details...it shows AWS cloud in the list but still when I try to ping and access the server it doesnt works.Also, i checked the logs and it doesnt shows any error for ICMP or for 3389 port.I'm not sure where is the problem...Appreciate any of your help guys...This is bit urgent...Thanks,Sagar

Labels:
0 Helpful
11 Replies 11

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-26-2016 12:01 AM

When connected via AnyConnect, should the users then be going over the site to site VPN, or being NATed to your public IP and then going over over the normal internet?

We are going to need your config.  And what is the prefix being used at Amazon?

0 Helpful

sagarshaha
Level 1
Level 1
In response to Philip D'Ath

‎02-26-2016 01:16 AM

Hi Philip,

They shud go via site to site vpn and use normal internet. I have attached the config here.

What you mean by prefix? you mean the friendly name?

Preview file
19 KB
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to sagarshaha

‎02-26-2016 04:15 AM

Hi Sagar,

Going through the configuration it does not seem you have added the VPN pool in the crypto ACL.

Could you tell the crypto ACL you are using for the tunnel ?

Regards,

Aditya

0 Helpful

sagarshaha
Level 1
Level 1
In response to Aditya Ganjoo

‎02-26-2016 08:32 AM

adkvpn is the name and cryptomap_2 is used for site to site vpn

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to sagarshaha

‎02-26-2016 10:10 AM

Hi Sagar,

This is the crypto ACL i see in the show run.

access-list outside_cryptomap_2 extended permit ip 192.168.96.0 255.255.224.0 172.30.0.0 255.255.0.0

May i know where is the Anyconnect pool being allowed here ?

Regards,

Aditya 

Please rate helpful posts

0 Helpful

sagarshaha
Level 1
Level 1
In response to Aditya Ganjoo

‎02-27-2016 02:44 AM

Hi Aditya,

AnyConnect pool IP is 192.168.125.0 to 192.168.125.X....so it falls under 192.168.96.0/19 network

Please help

Thanks,

Sagar

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to sagarshaha

‎02-27-2016 04:57 AM

Hi Sagar,

Do we see increments in the encaps/decaps counter when Anyconnect client tries to send traffic for the AWS cloud ?

Also I do not see any NAT on outside interface for this traffic:

nat (outside,outside)  1 source static NETWORK_OBJ_192.168.125.0 NETWORK_OBJ_192.168.125.0  destination static NETWORK_OBJ_172.30.0.0_16 NETWORK_OBJ_172.30.0.0_16 no-proxy-arp route-lookup

Regards,

Aditya

sagarshaha
Level 1
Level 1
In response to Aditya Ganjoo

‎02-28-2016 07:00 PM

We already have below NAT in place.  Do we still outside,outside NAT? This was working fine before dont know what messed up :(

object network NETWORK_OBJ_192.168.125.0
 nat (any,outside) dynamic interface
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to sagarshaha

‎02-28-2016 07:55 PM

Hi Sagar,

Try using a packet tracer using source as Anyconnect IP pool and then check if it is hitting this NAT.

Also if you try pinging the ASW cloud servers do you see pings making it to the ASA ?

You can use debug icmp trace on ASA see if the pings reach the ASA.

Also check the IPSEC stats.

Regards,

Aditya

0 Helpful

sagarshaha
Level 1
Level 1
In response to Aditya Ganjoo

‎02-29-2016 01:06 AM

Hi Aditya,

Please find attached the screenshot of Packet tracer and the logs from the ASDM.

Yes, its hitting NAT and working fine and also the log is showing its working fine.

I did the debug icmp trace and below is the output for same

Cisco# ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1978 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1979 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1980 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1981 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1982 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1983 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74

Preview file
364 KB
Preview file
378 KB
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to sagarshaha

‎02-29-2016 07:49 AM

Hi Sagar,

The request is reaching the ASA and even getting translated.

So we need to make sure are we seeing the packets on the AWS ?

Can we do that ?

Regards,

Aditya

0 Helpful
Customers Also Viewed These Support Documents