Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnect VPN full tunnel cannot access site-to-site VPN

I have an AnyConnect VPN set up with no split tunnelling (U-turning/hairpinning traffic), running 8.2.5 code.

This works great, but I want to allow the AnyConnect clients to access a site-to-site VPN as well, which I have been unable to do. 

I did check that the anyconnect network IP addresses are part of the tunnel on both sides.

My logic tells me I need to not u-turn the traffic coming from the anyconnect network for the site-to-site VPN, but I am not sure how to do this.

Any help would be appreciated.

Here are the relevant portions of my config:

(Inside network is 192.168.0.0/24,

anyconnect network is 192.168.10.0/24,

site-site VPN network is 192.168.2.0/24)

--------------------------------------------------------------------------------------


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0

ip local pool AnyConnectPool 192.168.10.2-192.168.10.254 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.10.0 255.255.255.0
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 (gateway IP) 1
webvpn
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 svc profiles AnyConnectProfile disk0:/anyconnect_client.xml
 svc enable
 tunnel-group-list enable
group-policy AnyConnectGrpPolicy internal
group-policy AnyConnectGrpPolicy attributes
 wins-server none
 dns-server value 192.168.0.33 192.168.2.33
 vpn-session-timeout none
 vpn-tunnel-protocol l2tp-ipsec svc
 split-tunnel-policy tunnelall
 address-pools value AnyConnectPool
tunnel-group AnyConnectGroup type remote-access
tunnel-group AnyConnectGroup general-attributes
 address-pool AnyConnectPool
 authentication-server-group SERVER1_AD
 default-group-policy AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
 authentication aaa certificate
 group-alias _AnyConnect enable

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Your remote access VPN

Your remote access VPN traffic apears as originating on the outside interface so I believe you need to exempt from NAT the PN pool traffic headed back into the site-site VPN. Something like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 192.168.10.0 255.255.255.0

access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
8 REPLIES
Hall of Fame Super Silver

Your remote access VPN

Your remote access VPN traffic apears as originating on the outside interface so I believe you need to exempt from NAT the PN pool traffic headed back into the site-site VPN. Something like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 192.168.10.0 255.255.255.0

access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
New Member

Thank you for the reply. 

Thank you for the reply.  This didn't resolve the issue, but perhaps will help point me in the right direction.  I had been running the packet tracer on the inside interface, and the traffic was allowed from 192.168.10.0/24 to 192.168.2.0/24.  However as you noted I should be running it on the outside interface, which gives me an access-list error right off the bat - the implicit access rule on the outside interface (source any destination any service IP action deny).

 

Below is my current config:
!
ASA Version 8.2(5)
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0
ip local pool AnyConnectPool 192.168.10.2-192.168.10.254 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0
nat (outside) 1 vpn-network 255.255.255.0

route outside 0.0.0.0 0.0.0.0 (gateway IP) 1
webvpn
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 svc profiles AnyConnectProfile disk0:/anyconnect_client.xml
 svc enable
 tunnel-group-list enable
group-policy AnyConnectGrpPolicy internal
group-policy AnyConnectGrpPolicy attributes
 wins-server none
 dns-server value 192.168.0.33 192.168.2.33
 vpn-session-timeout none
 vpn-tunnel-protocol l2tp-ipsec svc
 split-tunnel-policy tunnelall
 address-pools value AnyConnectPool
tunnel-group AnyConnectGroup type remote-access
tunnel-group AnyConnectGroup general-attributes
 address-pool AnyConnectPool
 authentication-server-group SERVER1_AD
 default-group-policy AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
 authentication aaa certificate
 group-alias _AnyConnect enable

What is the output of:

What is the output of:  packet-tracer input outside rawip 192.168.10.10 0 192.168.2.10 80

New Member

Hi and thanks for the reply. 

Hi and thanks for the reply.  The packet-tracer shows the traffic being dropped as mentioned above with  the implicit access rule on the outside interface (source any destination any service IP action deny).  Although, if I run the same command as: packet-tracer input outside rawip 192.168.10.10 0 192.168.0.10 , I get the same message, but I can access the 192.168.0.0/24 network just fine after connecting via Anyconnect and getting a 192.168.10.x address.


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

New Member

this ended up being the

this ended up being the correct solution, except we need to change the access-list statement as follows:

 

access-list outside_nat0 extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

 

Thank you very much for your help!!

Hall of Fame Super Silver

Excellent - glad to see you

Excellent - glad to see you have it working now.

Thanks for the rating. Cheers!

New Member

OK, so following the packet

OK, so following the packet tracer, I added an access rule, then took Mr. Rhoads suggestions and tweaked them to make it work.  But I don't feel comfortable adding IP-based outside access to the remote network, and feel like I am putting in a security hole.

 

access-list outside-access-in extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_nat0 extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

New Member

nevermind, it works without

nevermind, it works without the access rule, we just needed to swap around the order of the outside_nat0 statement.

1016
Views
0
Helpful
8
Replies
This widget could not be displayed.