Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1093
Views
0
Helpful
7
Replies

AnyConnect can ping LAN but not remote tunnel sites

michaelrossman
Level 1
Level 1

‎06-27-2013 02:16 PM - edited ‎02-21-2020 06:59 PM

                   I've been trying to track this issue down for 3 days and I'm at whits end. Configuration is an ASA 5510 8.4(3)12. Subnet of all networks is 1.1.88.0/21. LAN is 1.1.89.0/24 on interface "inside", 1.1.91.0/24 is AnyConnect clients connecting on interface "remote". Site A is 192.168.1.0/24. Desired result is that hosts in LAN can communicate with hosts in Site A and AnyConnect clients, AnyConnect clients can communicate with Site A and LAN, traffic from LAN and AnyConnected is NAT'd out interface "outside".

With this configuration I am able to ping from Site A to LAN, Site A to AnyConnect, LAN to AnyConnect, AnyConnect to LAN, but NOT AnyConnect to Site A. I have no idea why I can't initiate communication for AnyConnect clients to Site A. Conifg:

dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 1.1.89.2 255.255.255.0
!
interface Ethernet0/2
nameif remote
security-level 0
dhcp client route distance 10
ip address dhcp setroute
!
interface Ethernet0/3
shutdown
nameif Other
security-level 0
ip address dhcp setroute
!

boot system disk0:/asa843-12-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network AnyConnectClients
range 1.1.91.1 1.1.91.255
description AnyConnect Clients
object network LAN
subnet 1.1.89.0 255.255.255.0
description LAN to Internet
object network MySubnets
subnet 1.1.88.0 255.255.248.0
object network SiteAD
subnet 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object LAN
network-object object AnyConnectClients
object-group network MyNetworks
network-object object LAN
network-object object AnyConnectClients
object-group network VPNSubnets
description All VPN Subnets
network-object object SiteA
object-group network PartnerVPNSubnets
network-object object SiteA
access-list outside_access_in extended permit ip object-group PartnerVPNSubnets object-group MyNetworks
access-list remote_access_in extended permit ip object AnyConnectClients object SiteA
access-list inside_access_in extended permit ip object LAN any
access-list outside_cryptomap_1 extended permit ip object MySubnets object SiteA
access-list remote_access_in_1 extended permit ip object AnyConnectClients any
ip local pool AnyConnectPool 1.1.91.1-1.1.91.255 mask 255.255.255.0
ip verify reverse-path interface outside
nat (remote,outside) source static AnyConnectClients AnyConnectClients destination static PartnerVPNSubnets PartnerVPNSubnets no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static PartnerVPNSubnets PartnerVPNSubnets no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic MySubnets interface
nat (remote,outside) after-auto source dynamic MySubnets interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group remote_access_in_1 in interface remote
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record OffsiteVPNDAP
description "Access policy for remote VPN users"
webvpn
  port-forward disable
  file-browsing enable
  file-entry enable
  http-proxy enable
  url-entry enable
  svc ask enable default svc
  always-on-vpn profile-setting
aaa-server LDAPDCS protocol ldap
aaa-server LDAPDCS (inside) host LDAPSERVER
user-identity default-domain LOCAL
http server enable
no sysopt connection permit-vpn
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp remote
sysopt noproxyarp Other
sysopt noproxyarp management
group-policyMySSLVPNGP internal
group-policyMySSLVPNGP attributes
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock none
split-tunnel-policy tunnelall
split-tunnel-all-dns enable
msie-proxy method no-modify
vlan none
nac-settings none
address-pools value AnyConnectPool
smartcard-removal-disconnect enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value achieveconsulting.local
split-tunnel-all-dns enable
webvpn
  anyconnect profiles value AnyConnectProf type user
group-policy SiteAGroupPolicy internal
group-policy SiteAGroupPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group DefaultRAGroup general-attributes
authentication-server-group LDAPDCS
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool AnyConnectPool
default-group-policyMySSLVPNGP
password-management

Labels:
0 Helpful
7 Replies 7

Michael Muenz
Level 5
Level 5

‎06-28-2013 01:08 AM

Shouldn't it be?

same-security-traffic permit intra-interface

Since AnyConnect and Site A are connection via the same IF?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful

michaelrossman
Level 1
Level 1
In response to Michael Muenz

‎06-28-2013 08:02 AM

Site A's tunnel endpoint is "outside" and AnyConnect clients connect via "remote". We're not trying to hairpin any traffic in and out of the same interface.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to michaelrossman

‎06-30-2013 01:09 AM

Hello Michael,

Not sure if this is a typo but:

nat (remote,outside) source static AnyConnectClients AnyConnectClients destination static PartnerVPNSubnets PartnerVPNSubnets no-proxy-arp route-lookup

So I look in the config for the object group PartnerVPNSubnets and Found

object-group network PartnerVPNSubnets

network-object object SiteA

Look for Object SiteA and nothing was found,

Can you confirm if you have that and ofcourse update the ticket,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

michaelrossman
Level 1
Level 1
In response to Julio Carvajal

‎07-01-2013 12:49 PM

This was a typo caused from sterilizing the config. The object for SiteA is:

object network SiteAD

subnet 192.168.1.0 255.255.255.0

0 Helpful

michaelrossman
Level 1
Level 1
In response to michaelrossman

‎07-25-2013 04:06 PM

Anyone with any other ideas? We're still having this issue and have been unable to resolve it.

0 Helpful

Jeff Van Houten
Level 5
Level 5
In response to michaelrossman

‎07-27-2013 02:16 PM

Site a and your mgt interface are on the same subnet?

Sent from Cisco Technical Support iPad App

0 Helpful

michaelrossman
Level 1
Level 1
In response to Jeff Van Houten

‎07-29-2013 10:26 AM

That was also a side effect of sterilizing the config. The actual values for the management interface and site A are not on the same subnet. I removed the management interface info from the config.

0 Helpful
Customers Also Viewed These Support Documents