Re: ASA VLAN Mapping feature limited to local network only? - Page 2

sbaetz07860 · ‎04-28-2010

Hello Cisco,

I have a design question in building a VPN Cluster using Anyconnect.

I have a customer that wants to map 4 groups to a corresponding VLAN.

For example:

employee - Vlan 94

Admin - Vlan 95

IT - Vlan 96

etc....

Each Vlan has a specific pool configured, and on the switch side, there is a Vlan interface that is configured as the DG for that subnet.

Now this appears to work just fine from a mapping perspective, however, the question becomes routing. I've noted that there have been others that have run into this issue where the "route <interface> 0 0 tunneled" provides a tunnel default gateway for newly unencrypted traffic "globally"... meaning that you can set a DG for the VPN clients as a whole, however this option doesn't work when these clients groups are mapped to specific VLANs.

So the bottom line question is: Does VLAN Mapping as a limitation only allow access to the local subnet where the user is assigned based on his group configuration, and there is no way to allow them to route off that particular subnet using the the DG for that subnet?

Thanks.

Steve

Javier Portuguez · ‎08-01-2012

Hi Axel,

Please collect the "debug ldap 255" and the "debug aaa common 255" during a connection attempt.

Also attach the "show run tunnel-group", "show run group-policy", "show run aaa-server" and "show run ldap-attribute-map".

Let us know:

username:

tunnel-group:

Thanks.

Axel Maertens · ‎08-01-2012

Attached is Config and Log.

I do have a TAC Case concerning this problem by now as well (622633357), createde from Discussion https://supportforums.cisco.com/thread/2163198?tstart=0 - thought it fits better in a seperate discussion.

just so you won't do work twice.

Thanks so far,

Axel

Gustavo Medina · ‎07-30-2012

Or you can use DAP as well...

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

gabarrio · ‎04-14-2020

Hi Gustavo,

thanks for this post. This helped us in one use case as customer required a different default gateway for a specific VPN Group (due to the outbreak, most of the user works remotely). So Anyconnect goes full-tunnel but their default gateway is the one defined in the ASA for that specific DMZ. This means Anyconnect browse internet via that DMZ (this is not U-turn or hair pinning). So requirements are as you say:

1.-VLAN Restriction (in ASDM. Via CLI is a VLAN tied to the group-policy)

2.-Enter a default route via that DMZ with higher metric. Note: will not appear in the ASA routing table but will work just for that VPN Group with the VLAN restriction. All flows goes thru that VLAN and its specific default gateway.

Thanks!

lukaskuzmiak · ‎04-20-2014

Hi!

I think I'm in a pretty similar problem right now.

The only difference being the ASA itself serves as a default gateway for all the VLANs/subnets that I need to route to..

I have an outside interface and then a couple of inside ones (subinterfaces for each vlan)

However I still get this when I'm trying to connect to VLAN101 host from VLAN102 - that is a VPN client and therefore is coming from the outside interface:

Routing failed to locate next hop for TCP from outside:<internal vlan ip from VLAN102>/60093 to vlan101:<internal vlan ip from VLAN101>/443

And while trying to set a default gateway as you said (with higher metric than the default gateway that I normally have) I get this error:

Invalid next hop address, it belongs to one of our interfaces

Am I being stupid with my configuration or am I screwed?

Thanks!

Gustavo Medina · ‎04-20-2014

Hello Lukas,

Can you share your current running configuration as well as your "sh route"?

-Gustavo

lukaskuzmiak · ‎04-22-2014

Hello Gustavo,

thanks for taking time to reply :-)

I'm attaching both the current config and routes - I've deleted some stuff of running config (but only the irrelevant stuff like other non-affected interfaces and CA and certificates and stuff that only takes place and bothers).

Config:

ASA Version 9.1(5) 
!
hostname asa
domain-name ii
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif trunk
 security-level 0
 no ip address
!
interface GigabitEthernet0/0.101
 vlan 101
 nameif ii_services
 security-level 0
 ip address 172.30.151.234 255.255.255.0 
!
interface GigabitEthernet0/0.102
 vlan 102
 nameif ii_users
 security-level 0
 ip address 172.30.152.234 255.255.255.0 
!
interface GigabitEthernet0/0.201
 vlan 201
 nameif upc
 security-level 0
 ip address 192.168.234.3 255.255.255.0 
!
boot system disk0:/asa915-smp-k8.bin
boot system disk0:/asa914-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup trunk
dns domain-lookup upc
dns domain-lookup ii_services
dns domain-lookup ii_users
dns server-group DefaultDNS
 domain-name ii
same-security-traffic permit inter-interface
object network upc_pat
 subnet 0.0.0.0 0.0.0.0
 description NAT for upc connection
object network ii_users
 subnet 172.30.152.0 255.255.255.0
object network ii_services
 subnet 172.30.151.0 255.255.255.0
access-list ii_users standard permit 172.30.151.0 255.255.255.0 
access-list ii_users standard permit 172.30.152.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu trunk 1500
mtu upc 1500
mtu ii_services 1500
mtu ii_users 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-716.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (upc,any) source static ii_users ii_users no-proxy-arp
!
object network upc_pat
 nat (any,upc) dynamic interface
route upc 0.0.0.0 0.0.0.0 192.168.234.1 1 track 1
webvpn
 enable upc
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-64-3.1.05160-k9.pkg 3
 anyconnect enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 default-domain value ii
group-policy grp_ii_users internal
group-policy grp_ii_users attributes
 banner value grp_ii_users
 dhcp-network-scope 172.30.152.0
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ii_users
 vlan 102
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group ii_radius
 dhcp-server link-selection 172.30.160.2
 username-from-certificate UPN
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 authentication aaa certificate
 pre-fill-username ssl-client hide
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:f14379244cafbd85b6ed4c735a7c7b21
: end

and the routes:

Gateway of last resort is 192.168.234.1 to network 0.0.0.0

C    172.30.151.0 255.255.255.0 is directly connected, ii_services
C    172.30.152.0 255.255.255.0 is directly connected, ii_users
C    192.168.234.0 255.255.255.0 is directly connected, upc
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.234.1, upc

If you feel a need for any additional information I'll be happy to provide it.

Thanks a lot again,

Lukas