Access to client in VLAN with Any Connect

Answered Question
Aug 5th, 2010
User Badges:

I have configured a 1841 router for SSL VPN and this works great, the client connects and downloads Any Connect and then I establish a VPN.  The issue I have is that I have two VLANS on the router, the default VLAN 1 and VLAN 4 on a sub interface.


From the client I can ping the sub interface IP address and I can ping any IP address on a client in the defautl vlan, the ping ends with request timed out so this suggests that the packet makes to the destination and is dropped on the way back.  What I am trying to work out is how does the Any Connect client be VLAN aware so it can connect to the computer in VLAN 4?


I havent posted config yet in case its a simple issue that I need to make!


Thanks


kyle

Correct Answer by Jennifer Halim about 6 years 11 months ago

Yes, if the Anyconnect pool is in the same subnet as vlan 4, then it would try to perform arp resolution instead of sending the traffic towards the default gateway. I would suggest that you change the pool to a unique subnet, and you would need to change the ZBFW and NAT exemption ACL accordingly.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Thu, 08/05/2010 - 03:59
User Badges:
  • Cisco Employee,

I assume that you have configured split tunnel and it has included the subnet for vlan 4. Further to that, you might want to check that NAT exemption has also exempted traffic between vlan 4, and the ssl vpn ip pool subnet. And lastly, you might want to check if vlan 4 host has any personal firewall that sometimes block incoming connection on different subnet that might be blocking the ping request.


Hope that helps.

kyle.heath Thu, 08/05/2010 - 04:15
User Badges:

I have the firewall on the computer switched off and I have split tunneling configured for the subnet vlan 4.  I can see on my any connect client that I have a route to the vlan 4 subnet via my pool IP.


I have route maps on my PAT and this has an ACL that allows traffic from the internal network to be PAT and then denys all other traffic.


The IP Pool for the SSL VPN is in the same subnet as VLAN 4 and uses the Loopback interface and a Virtual-template to avoid traffic being dropped by the ZBF.


Should I have used a different subnet for the Any Connect client IP Pool?

Correct Answer
Jennifer Halim Thu, 08/05/2010 - 04:22
User Badges:
  • Cisco Employee,

Yes, if the Anyconnect pool is in the same subnet as vlan 4, then it would try to perform arp resolution instead of sending the traffic towards the default gateway. I would suggest that you change the pool to a unique subnet, and you would need to change the ZBFW and NAT exemption ACL accordingly.

kyle.heath Thu, 08/05/2010 - 04:33
User Badges:

I changed the subnet for the VPN clients and now my pings to the VLAN 4 computer work!  Thank you for that, I havent used SSL VPN before and used the CCP wizard and so I was a bit confused on the IP pool section as to what would be the right IP subnet for this.  I understand that now I am routing to the remote subnet.


Of course the problem I have now is that the device, its a CNC machine, that we need access to doesnt look like it has a default gateway configured!


Thanks for all your help on this!

Actions

This Discussion