Link to home
Start Free TrialLog in
Avatar of Brady Wright
Brady Wright

asked on

Problem with Cisco AnyConnect traffic on a Cisco ASA 5505

I am having an issue with my remote VPN users not being able to connect to a specific network through the VPN.   Hardware involved is a Cisco ASA 5505 with users connecting using Cisco Anyconnect Client.  Once connected the ASA assigns them an IP address from a pool created on the ASA. (172.16.10.0/24), Split Tunneling is enable and the internal network and the remote network(details below) have been added to the network list for the AnyConnect connection profile.  The VPN users can access the internal network without any problems but not the remote network.  The problem is below.

Details of the issue:  There is a server on one of our vendors network that we need access to internally and also when connected through VPN.  A site to site VPN was setup connecting my internal network(172.16.3.0/24) to theirs(10.*.*.0/24) and what I believe to be all the needed ACLs and NAT entries.  All internal users can access this network without a problem but anyone connected by VPN cannot.  It seems that on the VPN users computers that any traffic destined for my internal network comes through the VPN but traffic trying to go to the vendors network is going out their regular internet connection and not through the VPN.  Looking at the settings on the AnyConnect client while connected and looking at the route details tab it shows the 172.16.3.0/24 network and the 10.*.*.0/24 network as secured routes.  Any ideas on what could be the issue?  There has to be some NAT or ACL rule I'm missing or have entered incorrectly.  I am by far no expert on networking.  This CISCO ASA firewall is the only router we have since we are a small network but this issue is critical to our functioning.  Also, I know nothing about using CISCO CLI as I only use the ASDM GUI with this ASA.  Thank you for any help and I can provide more detail if needed and I probably haven't explained as clearly as needed.
Avatar of Darrell Porter
Darrell Porter
Flag of United States of America image

While 10.XXX.YYY.0/24 is listed as a secured network, if there a rule above this indicating 10.0.0.0/8 is an unsecured network?
Can you provide a sanitized (no passwords or company names or subsidiaries or any other identifying information such as public IPs obfuscated or removed) configuration of the ASA?
Avatar of Brady Wright
Brady Wright

ASKER

Thank you for the help.  I am working on the config file now to remove any unwanted info.
Here is the config file with public info removed.  I tried to highlight the references I could find pertaining to the VPN IP addresses and the network we are trying to connect to through that VPN.
ASAv1.pdf
Digging into it brings up a couple of questions:

Does the 10.190.131.0/24 network allow the 172.16.10.0/24 traffic through?

In order for the traffic to traverse the tunnel, the other site must include the subnet of your VPN clients on their Interesting traffic. Remember that a VPN consists of a set of rules that must match on both sides or your VPN client will fail to get to other side as long as they dont allow it on their ACLs.
During the setup of the Site to Site VPN tunnel the 172.16.10.0/24 was setup on the other site's end.  This is verified that it is there from talking to them.  Hope this helps.  Was there anything else that you could see that would be preventing the traffic?  Also, some of the ACLs and NAT statements referring to this network were put in on recommendations from the other sites IT people when they were trying to help me troubleshoot this issue.  But nothing fixed the issue.  Some of them may not be necessary or configured wrong for the traffic to flow properly but I left them in the config until they were looked at by someone with more knowledge than me.  The AnyConnect Profile and associated settings were created using the VPN Wizard, so pretty much just used the defaults, if that helps.  Thanks again for helping with this.
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial