08-31-2022 12:37 PM
I am having an issue with my VPN traffic not routing back out of the network when trying to contact devices Vlan10 particularly. If you ping or RDP a device From VPN to inside network other than Vlan-1 you cannot reach it. But you can ping From a Server on Vlan-10 to a client on outside VPN and get a response. All Vlan traffic works as it should on the LAN and has internet connection threw the FirePower without issue. When running cap traffic enters LAN but will not leave and packet tracer you see traffic is allowed passes all inspection.
The network is fairly simple: Cisco 9300Cat L3 (192.168.1.22/24), directly connected to Cisco 1140 FirePower inside int(192.168.1.1/24) VpN outside int(10.10.101.0/24).
On L3 Switch:
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.1
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.101.0 [1/0] via 192.168.1.1
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num
12 192.168.10.5 Vl10 11 04:11:50 1 100 0 118
1 192.168.1.1 Vl1 12 1w5d 382 2292 0 106
On FirePower:
Gateway of last resort is 52.X.X.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 52.X.X.1, outside
V 10.10.101.33 255.255.255.255 connected by VPN (advertised), outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
C 192.168.10.0 255.255.255.0 is directly connected, vlan10
L 192.168.10.5 255.255.255.255 is directly connected, vlan10
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num
12 192.168.10.1 vlan10 14 04:15:46 832 4992 0 289
2 192.168.1.22 inside 14 1w5d 1 200 0 278
I added a Static route for VPN to 10.5 sub interface on the Firepower and with the 2 static routes it causes traffic issues, you can log in to VPN but would have issues connecting to devices in LAN.
Thanks
Solved! Go to Solution.
09-01-2022 01:12 PM - edited 09-01-2022 01:19 PM
@00u18jg7x27DHjRMh5d7 you've got at least 2 internal interfaces (inside and vlan10), if you cannot access vlan10 from the VPN, is vlan10 interface in the "inside_zone" zone? Otherwise traffic would not match those rules above.
Do you have an Auto NAT configured for vlan10?....and a NAT exemption rule to ensure traffic between VPN pool and VLAN10 is not unintentially translated?
08-31-2022 04:53 PM
what is the VPN IP pool ?
config static route for VPN IP Pool toward FW inside
09-01-2022 06:36 AM - edited 09-01-2022 06:38 AM
VPN pool is the 10.10.101.0/24 I have a static route to the FW inside 192.168.1.1/24 and it did not resolve the issue. This is one of the reasons I am confused, why its not working.
09-01-2022 10:27 AM
OK so your VPN Pool config with static rotue in L3SW
are you disable VPN-sysopt connection ?
If yes then you need to allow connection from OUT to IN, since the ASA is add Anyconnect client as Connected to OUT.
09-01-2022 12:12 PM
I already have that applied. VPN-sysopt is disabled.
Also have ACL on L3 Switch allowing all traffic from VPN Network.
09-01-2022 01:12 PM - edited 09-01-2022 01:19 PM
@00u18jg7x27DHjRMh5d7 you've got at least 2 internal interfaces (inside and vlan10), if you cannot access vlan10 from the VPN, is vlan10 interface in the "inside_zone" zone? Otherwise traffic would not match those rules above.
Do you have an Auto NAT configured for vlan10?....and a NAT exemption rule to ensure traffic between VPN pool and VLAN10 is not unintentially translated?
09-01-2022 12:50 PM
Hello,
--> I am having an issue with my VPN traffic not routing back out of the network when trying to contact devices Vlan10 particularly.
Can you post a schematic drawing showing the traffic flow that is not working ?
09-01-2022 02:32 PM
Rob,
Thanks I looked at NAT rules again on had the Zones flipped and caused the issue all resolved now.
Thanks all for assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide