Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect Clients not following internal static routes on ASA5505

I have just purchased an ASA 5505 for my remote users to access our internal network.  I have followed all the setup instructions I can find.  I am able to establish a VPN connection using the Anyconnect client and can see some of my internal network. (Basically, only the subnet of the internal interface)  However, I have several subnets inside my LAN which are routed by another switch inside my LAN.  I have built in the correct static routes so that the ASA will send traffic to that intenal routing switch for any subnets not part of it's inside interface subnet.  I can see and ping those subnets from the ASA itself but the AnyConnect clients cannot.  Any suggestions on how to fix this would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Anyconnect Clients not following internal static routes on A

Hello,

Please add these lines and give it a try:

access-list inside_nat0_outbound permit 192.168.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound permit 203.250.0.0 255.255.0.0  192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.100.0.0 255.255.0.0  192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 210.105.0.0 255.255.0.0 192.168.1.0 255.255.255.0

Regards,

Do rate helpful posts!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
9 REPLIES

Anyconnect Clients not following internal static routes on ASA55

Ok frist question would be - are you using full tunnel or split tunnel ? just in case split tunnel then those subnets also be there in the list.Another things would be to check the nat exempt if not configured for those subnets.

New Member

Anyconnect Clients not following internal static routes on ASA55

I did try split tunnel, but currently I am using full tunnel method.  I have NAT exempt configured for 4 subnet ranges that we use internally.  See NAT config screenshot below.  I have anyconnect serve IP Pool: 192.168.1.241 ~.250 to remote clients.  Thanks.

Anyconnect Clients not following internal static routes on ASA55

Can you please post full firewall config here so that someone can have a look ?

New Member

Re: Anyconnect Clients not following internal static routes on A

>

: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
domain-name domain.LLC
enable password something encrypted
passwd something encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.6 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 70.43.14.181 255.255.255.248 
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.11
 domain-name domain.LLC
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in_1 extended permit ip any any 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 203.250.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.100.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 210.105.0.0 255.255.0.0 
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0 
access-list split-tunnel standard permit host 192.168.0.0 
access-list split-tunnel standard permit host 203.250.0.0 
access-list split-tunnel standard permit host 210.105.0.0 
access-list split-tunnel standard permit host 172.100.0.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool AnyConnectPool 192.168.1.241-192.168.1.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.43.14.xxx 1
route inside 172.100.0.0 255.255.0.0 192.168.1.254 1
route inside 192.168.0.0 255.255.0.0 192.168.1.254 1
route inside 203.250.0.0 255.255.0.0 192.168.1.254 1
route inside 210.105.0.0 255.255.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

  quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.1.11
 dns-server value 192.168.1.11
 default-domain value domain.LLC
group-policy group internal
group-policy group attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list value group
group-policy AnyConnectGP internal
group-policy AnyConnectGP attributes
 wins-server value 192.168.1.11
 dns-server value 192.168.1.11
 vpn-tunnel-protocol svc 
 default-domain value domain.LLC
username jcornett password something encrypted privilege 15
username jcornett attributes
 vpn-group-policy AnyConnectGP
tunnel-group group type remote-access
tunnel-group group general-attributes
 default-group-policy group
tunnel-group group webvpn-attributes
 group-alias group enable
 group-url https://70.43.14.xxx/group enable
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool AnyConnectPool
 default-group-policy AnyConnectGP
tunnel-group AnyConnect webvpn-attributes
 group-alias AnyConnect enable
 group-url https://70.43.14.xxx/AnyConnect enable
!
!
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:05bf805926fc2e93f73a3af9719143a9
: end
no asdm history enable

Re: Anyconnect Clients not following internal static routes on A

Hello,

Please add these lines and give it a try:

access-list inside_nat0_outbound permit 192.168.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound permit 203.250.0.0 255.255.0.0  192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.100.0.0 255.255.0.0  192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 210.105.0.0 255.255.0.0 192.168.1.0 255.255.255.0

Regards,

Do rate helpful posts!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Anyconnect Clients not following internal static routes on A

Thanks much jcarvaja!   That did the trick.

Now, I only have one final issue.  I still cannot see our local DNS server on the internal interface.  I get no response when pinging the DNS: 192.168.1.11.  I can hit every address on the inside except 192.168.1.11.  If I need to open a new discussion, let me know.

Thanks again.

Re: Anyconnect Clients not following internal static routes on A

Hello Jonathan,

192.168.1.11 = That is on the same subnet that the VPN clients, can you try to change the VPN pool and then give it a try?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Anyconnect Clients not following internal static routes on ASA55

there is another trick:

nat (outside) 192.168.1.0 255.255.255.240

global ( inside) interface.

and remove everything else if you can ping it from inside you can ping it from Anyconnect client.

Note be very sure that this traffic is dropped in outside interface access-group in the in direction else you might get in trouble.

Dont worry about Anyconnect traffic.

New Member

Anyconnect Clients not following internal static routes on ASA55

Thanks everyone for your suggestions.  Turns out that jcarvaja's answer on Feb 10th was the correct one for my DNS issue as well.  I was testing in my own LAN environment which was causing me problems.  Once I tested outside my network, everthing worked fine. Dumb mistake on my end.   I can ping my inside DNS: 192.168.1.11 and all my other internal subnets just fine through the AnyConnect VPN now.  Consider my question answered. Thanks again. 

2285
Views
0
Helpful
9
Replies
CreatePlease login to create content