anyconnect VPN

Mike Buyarski · ‎04-21-2015

get a brand new ASA for setting remote users up with any connect vpn access.

i setup the vpn and i can connect but i cant access any of the internal networks from the client pc.

the setup is this internet>====ASA>=====L3 switch(internal network)(and primary GW for all pc's and servers running multiple vlans)

we do have NAT running on the ASA since we will be eventually use that as the primary Gateway for all internet traffic.

we have eigrp running for routing.

internally i can set the asa as the gateway and access internet and everything else i need.

when i connect my laptop to my phone(tethered) i can connect the any connect client. but i cannot access anything on the internal network

I have attached the config of the ASA

Marvin Rhoads · ‎04-21-2015

It looks pretty good from a quick glance. You should be getting a route for 10.0.0.0/8 on your client. You have that in a vpn-filter (not strictly necessary but shouldn't hurt) and you have a NAT exemption for the VPN subnet.

Can you confirm that your L3 switch is learning a route for the VPN clients via EIGRP? (i.e. Check the route table on the core while connected.)

Mike Buyarski · ‎04-22-2015

no the core switch is NOT getting that route in the routing table. i added that subnet to the eigrp on the ASA but still not showing on the core router.

Marvin Rhoads · ‎04-22-2015

Try adding "reverse-route" in the cryptomap to make sure routes to the VPN clients are injected into the EIGRP process (and thus advertised to the internal core switch).

Reference this article.

Mike Buyarski · ‎04-22-2015

i cant find where i would even put that since the reference article references crypto maps that i dont have.

Frank DeNofa · ‎04-22-2015

Mike,

While RRI won't be an option, Marvin is getting you in the right direction. You will need to internal clients to learn a route back to the ASA for the AnyConnect client pool. The easiest way to do this would probably be to create a static route for the client pool pointed at the ASA, which could then be redistributed into EIGRP. I feel as if there is an easier way to do this, but unfortunately I'm drawing a blank about that.

HTH,

Frank

Mike Buyarski · ‎04-23-2015

putting a static route on the core switch does allow clients on the local vlans to ping the vpn'ed in pc but the pc that is vpn'ed in still cant access anything. i found that from the firewall i can ping the vpn'ed in pc as long as it is set to the outside interface but if i set it to the inside interface it fails. i did a packet tracer and it failed because of a (acl-drop)

Frank DeNofa · ‎04-23-2015

Mike,

Can you confirm that "sysopt connection permit-vpn" is enabled? You can check this with "sh run all sysopt."

Unfortunately "acl-drop" is sort of a blanket rule and should be taken with a grain of salt.

-Frank

Mike Buyarski · ‎04-23-2015

yes this is what i got

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp TDS_outside
no sysopt noproxyarp BI_inside
no sysopt noproxyarp management

it would appear as though it is enabled

Mike Buyarski · ‎04-24-2015

well i called TAC since i could not wait around much longer and the fix was this:

added a new network object that was 10.0.0.0/8 this was because i had the access-list permitting 10.0.0.0/8 networks that were my internal corporate networks.

second had to add a nat rule that sourced inside interface to destination of outside interface with source address of the new object i created for the destination of the vpn pool, this was because we do not want NAT to NAT the vpn pool addresses.