Solved: Anyconnect VPN users cannot access remote subnets?

david · ‎01-19-2014

I've Googled this till blue in the face to no avail. I don't understand why Cisco makes this so difficult? When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access remote offices resources. What do I need to do to allow my anyconnect vpn clients access to my remote sites?

Cisco 5510 8.4

Jouni Forss · ‎01-19-2014

Hi,

What are the remote sites using as their Internet gateway? Does their default route lead here to this ASA or do they have their own Internet gateway? If they use this ASA for their Internet connectivity then they should already have a default route that leads the traffic towards the VPN pool network even if they had not specific route for the VPN pool itself. If they are using their own local Internet gateway and the default route is not pointing towards this ASA then you would naturally have to have a route on the remote site (and anything in between) telling the remote site where to reach the VPN pool network of 10.10.224.0/24.

In addition to the routing you would have to have NAT0 configured for each remote site and the VPN Pool network

Just a simple example of a NAT0 configuration for 4 networks behind the ASA and the single VPN pool could look like this

object-group network REMOTE-SITES

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

network-object 10.10.40.0 255.255.255.0

object network VPN-POOL

subnet 10.10.224.0 255.255.255.0

nat (inside,outside) source static REMOTE-SITES REMOTE-SITES destination static VPN-POOL VPN-POOL

The above naturally presumes that the remote site are located behind the "inside" interface (though some MPLS network) and naturally also the remote site networks are made up for examples sake.

Since you are using Full Tunnel VPN there should be no problem in the VPN user forwarding traffic to this ASA in question.

So my first things to check would be the NAT0 configuration on the ASA and the routing between the remotes sites and this ASA (with regards to reaching the VPN Pool network, not the ASA interface IP address)

Are you sure that the above configuration is related to this? Its my understanding that AnyConnect only uses IKEv2 and the above is set strictly for IKEv1?

- Jouni

View solution in original post

Jouni Forss · ‎01-19-2014

Hi,

This naturally wont work automatically as there are other things involved simply than the VPN connection the user is using.

There is also some things that need to be clarified before we know what will be needed to correct the situation.

For example, are the remote sites you are talking about connect to the ASA by L2L VPN or is there some other connectivity to the remote sites?

If the remote sites were connected directly (with the help of different ISPs) then you would naturally have to make sure that both the ASA route to those remote networks and that those remote networks have route towards this ASA and its VPN pool network. You would naturally also need NAT0 and ACL configurations.

However, I presume you are talking about remote sites that are connected to this same ASA where the AnyConnect VPN users are connecting to. If this is the case then you will atleast need to configure the following things.

Make sure you have the "same-security-traffic permit intra-interface" command enabled on your ASA which will enable the VPN user traffic from "outside" to be forwarded through the same interface "outside" to the remote sites. Otherwise it wont work.
You will either have to include the VPN Pool on all of the L2L VPN connections on this local ASA as a source network (and naturally on the remote sites as the destination network) and configure NAT0 configurations for them. Or you will have to translate the VPN Pool with Dynamic PAT to an IP address belonging to this ASA sites LAN so that the traffic from the VPN user will match the interesting traffic of each L2L VPN connection.

Without seeing any actual configurations its hard to tell what is the correct configuration needed to implement the connectivity between the VPN user and the remote sites.

- Jouni

david · ‎01-19-2014

Hi Jouni, thanks for the quick reply. We have MPLS WAN connectivity between all sites. I can ping the remote site via ASDM interface so connectivity is there. Remote user pool is 10.10.224.0/24. Once connected I need these users to be able to access the 10.1.0.0/24 subnet, which is connected via Cisco 3750 and then MPLS. Sanitizing the confg for posting is so painful. Is there a certain part of the config that you need? Here is some some relevant config >

route inside 10.1.0.0 255.255.255.0 10.30.1.1 1

group-policy VPNPHONE internal

group-policy VPNPHONE attributes

dns-server value 10.10.96.x 10.10.0.x

vpn-simultaneous-logins 40

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 10.10.96.x 10.10.0.x
vpn-simultaneous-logins 40
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelall

the ASA internal IP is 10.30.1.5, it then connects to a 3750 which knows how to get to 10.1.0.2

If you need the full config, please let me know. Thanks!

*edit - I did not have same-security-traffic permit intra-interface command, but not sure this matters in my scenario?

Jouni Forss · ‎01-19-2014

Hi,

What are the remote sites using as their Internet gateway? Does their default route lead here to this ASA or do they have their own Internet gateway? If they use this ASA for their Internet connectivity then they should already have a default route that leads the traffic towards the VPN pool network even if they had not specific route for the VPN pool itself. If they are using their own local Internet gateway and the default route is not pointing towards this ASA then you would naturally have to have a route on the remote site (and anything in between) telling the remote site where to reach the VPN pool network of 10.10.224.0/24.

In addition to the routing you would have to have NAT0 configured for each remote site and the VPN Pool network

Just a simple example of a NAT0 configuration for 4 networks behind the ASA and the single VPN pool could look like this

object-group network REMOTE-SITES

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

network-object 10.10.40.0 255.255.255.0

object network VPN-POOL

subnet 10.10.224.0 255.255.255.0

nat (inside,outside) source static REMOTE-SITES REMOTE-SITES destination static VPN-POOL VPN-POOL

The above naturally presumes that the remote site are located behind the "inside" interface (though some MPLS network) and naturally also the remote site networks are made up for examples sake.

Since you are using Full Tunnel VPN there should be no problem in the VPN user forwarding traffic to this ASA in question.

So my first things to check would be the NAT0 configuration on the ASA and the routing between the remotes sites and this ASA (with regards to reaching the VPN Pool network, not the ASA interface IP address)

Are you sure that the above configuration is related to this? Its my understanding that AnyConnect only uses IKEv2 and the above is set strictly for IKEv1?

- Jouni

david · ‎01-19-2014

Jouni, the remote site default gateway goes to a different ASA at that site. All of our sites have their own ASA and their own default route leading to their respective ASA. I can see where you're coming from with the route back to 10.10.224.0, but I cannot easily add such a route at the remote site since it's internal to the ASA and I'm using OSPF to advertise all networks via the Cisco 3750. I'll have to call our MPLS provider and have them inject a route for 10.10.224.0/24 that points back to the MPLS router where the 10.10.224.0 pool exists.

I actually have a similar problem with 2 different sites/ASA's. One is using anyconnect and the other that I noted above is for our vpn phones - sorry for the confusion, but I think they both have the same issue. The VPNPHONE VPN worked fine until today when I moved the 10.1.0.0/24 subnet to a remote office. However, all of our internal sites can access 10.1.0.2, only the VPNPHONE users cannot.

Jouni Forss · ‎01-19-2014

Hi,

Ok, let me know when the service provider has done the change.

If thats enough to get it working or if there is still something in the ASA configurations that needs a look at.

- Jouni

david · ‎01-19-2014

Hi Jouni, good call on the routing back to 10.10.224.0 from the remote site. That seemed to do the trick! The vpn phones are at least connecting to 10.1.0.2 now. We're having some audio trouble, but I'll have to do some more testing on that.

david · ‎01-20-2014

Jouni, everything is working fine this morning. Thanks for your help!!

Jouni Forss · ‎01-20-2014

Hi,

Great to hear that its working now

- Jouni