Solved: Re: VPN traffic not routing out from Vlans

00u18jg7x27DHjRMh5d7 · ‎08-31-2022

I am having an issue with my VPN traffic not routing back out of the network when trying to contact devices Vlan10 particularly. If you ping or RDP a device From VPN to inside network other than Vlan-1 you cannot reach it. But you can ping From a Server on Vlan-10 to a client on outside VPN and get a response. All Vlan traffic works as it should on the LAN and has internet connection threw the FirePower without issue. When running cap traffic enters LAN but will not leave and packet tracer you see traffic is allowed passes all inspection.

The network is fairly simple: Cisco 9300Cat L3 (192.168.1.22/24), directly connected to Cisco 1140 FirePower inside int(192.168.1.1/24) VpN outside int(10.10.101.0/24).

On L3 Switch:

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.1.1
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.101.0 [1/0] via 192.168.1.1

EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num
12 192.168.10.5 Vl10 11 04:11:50 1 100 0 118
1 192.168.1.1 Vl1 12 1w5d 382 2292 0 106

On FirePower:

Gateway of last resort is 52.X.X.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 52.X.X.1, outside
V 10.10.101.33 255.255.255.255 connected by VPN (advertised), outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
C 192.168.10.0 255.255.255.0 is directly connected, vlan10
L 192.168.10.5 255.255.255.255 is directly connected, vlan10

EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num
12 192.168.10.1 vlan10 14 04:15:46 832 4992 0 289
2 192.168.1.22 inside 14 1w5d 1 200 0 278

I added a Static route for VPN to 10.5 sub interface on the Firepower and with the 2 static routes it causes traffic issues, you can log in to VPN but would have issues connecting to devices in LAN.

Thanks

Rob Ingram · ‎09-01-2022

@00u18jg7x27DHjRMh5d7 you've got at least 2 internal interfaces (inside and vlan10), if you cannot access vlan10 from the VPN, is vlan10 interface in the "inside_zone" zone? Otherwise traffic would not match those rules above.

Do you have an Auto NAT configured for vlan10?....and a NAT exemption rule to ensure traffic between VPN pool and VLAN10 is not unintentially translated?

View solution in original post

MHM Cisco World · ‎08-31-2022

what is the VPN IP pool ?
config static route for VPN IP Pool toward FW inside

00u18jg7x27DHjRMh5d7 · ‎09-01-2022

VPN pool is the 10.10.101.0/24 I have a static route to the FW inside 192.168.1.1/24 and it did not resolve the issue. This is one of the reasons I am confused, why its not working.

MHM Cisco World · ‎09-01-2022

OK so your VPN Pool config with static rotue in L3SW
are you disable VPN-sysopt connection ?
If yes then you need to allow connection from OUT to IN, since the ASA is add Anyconnect client as Connected to OUT.

00u18jg7x27DHjRMh5d7 · ‎09-01-2022

I already have that applied. VPN-sysopt is disabled.

Also have ACL on L3 Switch allowing all traffic from VPN Network.

Rob Ingram · ‎09-01-2022

@00u18jg7x27DHjRMh5d7 you've got at least 2 internal interfaces (inside and vlan10), if you cannot access vlan10 from the VPN, is vlan10 interface in the "inside_zone" zone? Otherwise traffic would not match those rules above.

Do you have an Auto NAT configured for vlan10?....and a NAT exemption rule to ensure traffic between VPN pool and VLAN10 is not unintentially translated?

Georg Pauwen · ‎09-01-2022

Hello,

--> I am having an issue with my VPN traffic not routing back out of the network when trying to contact devices Vlan10 particularly.

Can you post a schematic drawing showing the traffic flow that is not working ?

00u18jg7x27DHjRMh5d7 · ‎09-01-2022

Rob,

Thanks I looked at NAT rules again on had the Zones flipped and caused the issue all resolved now.

Thanks all for assistance.