Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect client traffic does not reach remote sites connected via site-to-site vpn

Hi everyone,  I have a 5550 ASA running version 8.2(1) which is being used to tunnel between sites and also serves as remote access server.   Anyconnect tcp/udp client traffic that is tunneled to other sites via site-to-site vpn fails.

I get these in the logs (either RST or SYN/ACK)

6    Nov 24 2010    12:06:48    106015    10.13.2.1    80    10.6.1.102    15996    Deny TCP (no connection) from 10.13.2.1/80 to 10.6.1.102/15996 flags RST ACK  on interface outside

ICMP traffic is ok as I can ping units in remote sites

10.13.0.0/16  being the remote site and 10.6.1.0/24 being the vpn client subnet

10.6.1.254 is another router connected to the same segment

Internet is being routed to another ASA on the same segment

I have run out of ideas can anyone shed some light ?

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ASA Version 8.2(1)
!
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 22.33.44.55 255.255.255.192
!

interface GigabitEthernet1/0

nameif inside
security-level 100
ip address 10.6.1.249 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

!

object-group network CANADA
network-object 10.6.0.0 255.255.0.0
!
object-group network UK

network-object 10.13.0.0 255.255.0.0

!
access-list nonat extended permit ip object-group CANADA object-group UK
access-list 113 extended permit ip object-group CANADA object-group UK

!

mtu outside 1500
mtu management 1500
mtu inside 1500
ip local pool AnyConnect_Pool1 10.6.1.101-10.6.1.199 mask 255.255.255.0
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 22.33.44.56 1
route inside 10.6.0.0 255.255.0.0 10.6.1.254 1
route inside 0.0.0.0 0.0.0.0 10.6.1.254 tunneled
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD

!

crypto map vpn 113 match address 113
crypto map vpn 113 set peer 100.200.100.200
crypto map vpn 113 set transform-set ESP-AES-256-SHA
crypto map vpn 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600

!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy thqmtl_AnyConnect internal
group-policy thqmtl_AnyConnect attributes
wins-server value 10.6.4.10 10.3.4.10
dns-server value 10.6.4.10 10.3.4.10
vpn-simultaneous-logins 3
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock none
split-tunnel-policy tunnelall
default-domain value notimportant.com
vlan none
address-pools value AnyConnect_Pool1
webvpn
  svc keep-installer installed
  svc rekey time 60
  svc rekey method ssl
  svc ask none default svc
!
tunnel-group 100.200.100.200 type ipsec-l2l
tunnel-group 100.200.100.200 ipsec-attributes
pre-shared-key *
tunnel-group AnyConnect_SSL type remote-access
tunnel-group AnyConnect_SSL general-attributes
address-pool AnyConnect_Pool1
authentication-server-group LDAP
authentication-server-group (inside) LDAP
default-group-policy thqmtl_AnyConnect
tunnel-group AnyConnect_SSL webvpn-attributes
group-alias AnyConnect_SSL enable
!
: end

  • VPN
1 REPLY
Cisco Employee

Re: Anyconnect client traffic does not reach remote sites connec

To start with, the AnyConnect Pool should not be in the same subnet as the inside network, as essentially the AnyConnect pool should really

exist on the outside network.

Secondly, what is the reason of configuring "route inside 0.0.0.0 0.0.0.0 10.6.1.254 tunneled"?

Once you have changed the AnyConnect pool to a unique subnet range, then you would need to add AnyConnect pool subnet to the site-to-site VPN crypto ACL on both side as follows:

On this ASA: access-list 113 permit ip object-group UK

On the remote ASA: the corresponding ACL and mirror image to the above: access-list permit ip object-group UK

Then you would need to clear the tunnels, and reconnect to the AnyConnect to test the connectivity to the remote site.

Hope that helps.

429
Views
0
Helpful
1
Replies
This widget could not be displayed.