cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2364
Views
5
Helpful
11
Replies

Unable to access remote servers using VPN

sagarshaha
Level 1
Level 1

Hi,I have Cisco ASA 5505 and have configured site-to-site vpn from local office to AWS cloud. Site-to-site works fine and I can access the servers without any issues. I have also implemented Cisco AnyConnect client profiles where my users can connect to Cisco ASA from outside office network or home and they should be able to access servers located in cloud. It was working fine  earlier but somehow it stopped working from last 2 days...I have added AWS cloud networkist into Split tunneling and when i connect Cisco AnyConnect VPN client and see route details...it shows AWS cloud in the list but still when I try to ping and access the server it doesnt works.Also, i checked the logs and it doesnt shows any error for ICMP or for 3389 port.I'm not sure where is the problem...Appreciate any of your help guys...This is bit urgent...Thanks,Sagar

11 Replies 11

Philip D'Ath
VIP Alumni
VIP Alumni

When connected via AnyConnect, should the users then be going over the site to site VPN, or being NATed to your public IP and then going over over the normal internet?

We are going to need your config.  And what is the prefix being used at Amazon?

Hi Philip,

They shud go via site to site vpn and use normal internet. I have attached the config here.

What you mean by prefix? you mean the friendly name?

Hi Sagar,

Going through the configuration it does not seem you have added the VPN pool in the crypto ACL.

Could you tell the crypto ACL you are using for the tunnel ?

Regards,

Aditya

adkvpn is the name and cryptomap_2 is used for site to site vpn

Hi Sagar,

This is the crypto ACL i see in the show run.

access-list outside_cryptomap_2 extended permit ip 192.168.96.0 255.255.224.0 172.30.0.0 255.255.0.0

May i know where is the Anyconnect pool being allowed here ?

Regards,

Aditya 

Please rate helpful posts

Hi Aditya,

AnyConnect pool IP is 192.168.125.0 to 192.168.125.X....so it falls under 192.168.96.0/19 network

Please help

Thanks,

Sagar

Hi Sagar,

Do we see increments in the encaps/decaps counter when Anyconnect client tries to send traffic for the AWS cloud ?

Also I do not see any NAT on outside interface for this traffic:

nat (outside,outside)  1 source static NETWORK_OBJ_192.168.125.0 NETWORK_OBJ_192.168.125.0  destination static NETWORK_OBJ_172.30.0.0_16 NETWORK_OBJ_172.30.0.0_16 no-proxy-arp route-lookup

Regards,

Aditya

We already have below NAT in place.  Do we still outside,outside NAT? This was working fine before dont know what messed up :(

object network NETWORK_OBJ_192.168.125.0
 nat (any,outside) dynamic interface

Hi Sagar,

Try using a packet tracer using source as Anyconnect IP pool and then check if it is hitting this NAT.

Also if you try pinging the ASW cloud servers do you see pings making it to the ASA ?

You can use debug icmp trace on ASA see if the pings reach the ASA.

Also check the IPSEC stats.

Regards,

Aditya

Hi Aditya,

Please find attached the screenshot of Packet tracer and the logs from the ASDM.

Yes, its hitting NAT and working fine and also the log is showing its working fine.

I did the debug icmp trace and below is the output for same

Cisco# ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1978 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1979 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1980 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1981 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1982 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74
ICMP echo request from outside:192.168.125.1 to outside:172.30.30.30 ID=1 seq=1983 len=32
ICMP echo request translating outside:192.168.125.1 to outside:124.66.142.74

Hi Sagar,

The request is reaching the ASA and even getting translated.

So we need to make sure are we seeing the packets on the AWS ?

Can we do that ?

Regards,

Aditya