anyconnect users can't connect to branch office via site-to-site

Unanswered Question

Hello,

I have cisco anyconnect ssl vpn configured on one asa 5505 in siteA with split tunneling.  The clients are able to connect to the internal network (20.20.20.0/24).

There is a site-to-site connection from siteA to siteB (5505 as well).  Anyconnect users which are connected to the asa in SiteA can't connect to the internal network of siteB (10.0.1.0/24)

10.10.10.0 - outside network

20.20.20.0 - inside network SiteA

10.0.1.0 - inside network SiteB

50.50.50.0 - VPN users siteA

When using packet tracer from both sites it says the packet is allowed.

I found a related post on the forum and followed the steps mentioned in following post:  https://supportforums.cisco.com/message/3112382

siteA

-----

-added nexemption for siteB 

access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 50.50.50.0 255.255.255.0

-added acl in cryptomap for site-to-site between siteA and siteB

access-list Outside_3_cryptomap extended permit ip 10.0.1.0 255.255.255.0 50.50.50.0 255.255.255.0

-added the siteB IP range to split-tunnel

access-list split-tunnel standard permit 10.0.1.0 255.255.255.0

enabled same-security-traffic permit inter-interface

enabled same-security-traffic permit intra-interface

siteB

-----

-added exemption for SiteA

access-list no_nat extended permit ip 50.50.50.0 255.255.255.0 10.0.1.0 255.255.255.0

-added acl in cryptomap for site-to-site between siteB and siteA

access-list Outside_3_cryptomap extended permit ip 50.50.50.0 255.255.255.0 10.0.1.0 255.255.255.0

Anyone knows what's missing? 

Thanks

config firewall siteA

-----------------------

: Written by admin at 05:03:25.499 UTC Tue Sep 28 2010

!

ASA Version 8.2(2)

!

hostname fw1

domain-name domain.local

enable password FjvMKW4exVDlqgsq encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif Management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan100

nameif Outside

security-level 0

ip address 10.10.10.2 255.255.255.240

!

interface Vlan200

nameif Inside

security-level 100

ip address 20.20.20.1 255.255.255.0

!

interface Vlan300

nameif DMZ

security-level 50

ip address 30.30.30.1 255.255.255.0

!

interface Vlan400

nameif VOIP

security-level 100

ip address 40.40.40.1 255.255.255.0

!

interface Ethernet0/0

description WAN Interface

switchport access vlan 100

speed 100

duplex full

!

interface Ethernet0/1

description DMZ Interface

switchport access vlan 300

!

interface Ethernet0/2

description Trunk port to sw1

switchport access vlan 400

switchport trunk allowed vlan 200,400

switchport trunk native vlan 200

switchport mode trunk

!

interface Ethernet0/3

description Trunk port to sw4

switchport access vlan 400

switchport trunk allowed vlan 200,400

switchport trunk native vlan 200

switchport mode trunk

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

description Trunk port to AP1

switchport access vlan 300

switchport trunk allowed vlan 200,300

switchport trunk native vlan 200

switchport mode trunk

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name domain.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network SiteA

network-object 20.20.20.0 255.255.255.0

network-object host 10.10.10.1

object-group network siteB

network-object 10.0.1.0 255.255.255.0

network-object host 7.7.7.1

access-list acl_out_in extended permit tcp any interface Outside eq www 

access-list no_nat extended permit ip 20.20.20.0 255.255.255.0 50.50.50.0 255.255.255.0 

access-list no_nat extended permit ip object-group siteA object-group siteB

access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 50.50.50.0 255.255.255.0 

access-list split-tunnel standard permit 20.20.20.0 255.255.255.0

access-list split-tunnel standard permit 10.0.1.0 255.255.255.0 

access-list Outside_3_cryptomap extended permit ip 20.20.20.0 255.255.255.0 object-group siteB

access-list Outside_3_cryptomap extended permit ip 10.0.1.0 255.255.255.0 50.50.50.0 255.255.255.0

pager lines 24

logging enable

mtu Management 1500

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu VOIP 1500

ip local pool SSLClientPool 50.50.50.1-50.50.50.254 mask 255.255.255.0

no failover

monitor-interface Management

monitor-interface Outside

monitor-interface Inside

monitor-interface DMZ

monitor-interface VOIP

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

global (DMZ) 1 10.10.10.3

nat (Management) 1 0.0.0.0 0.0.0.0

nat (Inside) 0 access-list no_nat

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

nat (VOIP) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp interface www 20.20.20.32 www netmask 255.255.255.255 

access-group acl_out_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

ldap attribute-map Allow_VPN

  map-name  msNPAllowDialin Tunneling-Protocols

  map-value msNPAllowDialin FALSE 4

  map-value msNPAllowDialin TRUE 48

dynamic-access-policy-record DfltAccessPolicy

aaa-server ActiveDirectory protocol ldap

aaa-server ActiveDirectory (Inside) host 20.20.20.9

ldap-base-dn dc=domain,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn CN=cisco,OU=Service Accounts,OU=HTCP, DC=domain, DC=local

server-type microsoft

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 Management

http 20.20.20.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 3 match address Outside_3_cryptomap

crypto map Outside_map 3 set pfs

crypto map Outside_map 3 set peer 74.7.11.174

crypto map Outside_map 3 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto ca trustpoint localtrust

enrollment self

fqdn vpn.domain.com

subject-name CN=vpn.domain.com

keypair sslvpnkeypair

crl configure

crypto ca certificate chain localtrust

certificate 2097644c

    308201fb 30820164 a0030201 02020420 97644c30 0d06092a 864886f7 0d010105

    05003042 311c301a 06035504 03131376 706e6272 6564612e 69746573 736f2e63

    6f6d3122 30200609 2a864886 f70d0109 02161376 706e6272 6564612e 69746573

    736f2e63 6f6d301e 170d3130 30383133 30303531 34345a17 0d323030 38313030

    30353134 345a3042 311c301a 06035504 03131376 706e6272 6564612e 69746573

    736f2e63 6f6d3122 30200609 2a864886 f70d0109 02161376 706e6272 6564612e

    69746573 736f2e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00

    30818902 818100c0 7c562d66 47588291 2ddca190 2e8f52b3 7f50c7f1 5945d606

    9ff63a2e 432d0602 162710c8 818d152d e2467645 96e7da33 8b39bacf f01e42ad

    44ae2f2a 6bd6a9ab 024d47b6 273e720b 7263b0e9 8f24bf80 515e268e eace994e

    d882ea36 fe8893d2 44d5cdb1 15f298b4 c26d5eff 6839ed68 6a13f453 fe35635e

    c67ae205 da3ae502 03010001 300d0609 2a864886 f70d0101 05050003 81810068

    bfae1b4d c1850c56 5826edfb ff86e504 e5e4be95 10f9e674 a3c7997e 96db735a

    864176af 04fdae5d 4f401a32 dcadb213 857fda06 9a8764f1 1fcf0a31 76c6af20

    9cd09e68 63e6efb9 61098b81 60d72f2d 9b71b127 5282cd9f 234d49d7 d29bd56e

    d2b83698 bfb97cd7 a259593f f79b9694 7cce9fef c5fd79e0 4d89ae23 0e4c94

  quit

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config Outside

priority-queue Outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust Outside

webvpn

enable Outside

svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 20.20.20.9

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value domain.local

address-pools value SSLClientPool

username user1 password TEkjf52Nn3dfdf encrypted privilege 15

username user1 attributes

service-type admin

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

authentication-server-group ActiveDirectory

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

tunnel-group 74.7.11.174 type ipsec-l2l

tunnel-group 74.7.11.174 ipsec-attributes

pre-shared-key somekey

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

policy-map VoicePolicy

class Voice-OUT

  priority

class Voice-IN

  priority

!

service-policy global_policy global

service-policy VoicePolicy interface Outside

prompt hostname context

service call-home

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:41ec9ba2201fcadac735b75fb4759120

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 09/28/2010 - 15:03

Hi,

Looks fine.

Testing...

When try to access Site B internal LAN from the VPN clients, check the following:

Site A:

sh cry isa sa --> Tunnel should be established between the VPN client and the ASA, and tunnel should be established between Site A and Site B

sh cry ips sa --> You should see a Security Association established for 50.50.50.0/24 and 10.0.1.0/24

The second part is very important since you will see packets encrypted/decrypted that will shows is if traffic is flowing through.

Do the same thing on Site B.

Question.

Do you also have the routing set up correctly?

For example, Site B knows that to reach 50.50.50.0/24 should send the traffic to Site A?

Federico.

Actions

This Discussion