Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1142
Views
0
Helpful
4
Replies

Anyconnect tunnelALL Difficulties

Go to solution
mikedeyoung
Level 1
Level 1

‎12-18-2019 12:22 PM

Hi All,

 

I'm having a really difficult time getting Anyconnect tunnelALL (Hairpin) to work. 

 

- Client connects

- Split tunnel works fine

- PCAP trace shows traffic destined for Internet NOT being natted.

 

The client successfully connects but when "TunnelALL" is turned on, the Windows Client OS (Win10) thinks it has no connection (and when ipconfig I see 2 DG's).

 

Below is relevant config from my Firewall..

 

*** ASA 5525

 

object network MOBILE_VPN_POOL_BBC
subnet 10.252.252.0 255.255.255.0
nat (ISP1,ISP1) dynamic interface

 

ip local pool MOBILE_VPN_POOL_BBC 10.252.252.1-10.252.252.254 mask 255.255.255.0

 

group-policy GP_ANYCONNECT internal
group-policy GP_ANYCONNECT attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-all-dns enable

 

tunnel-group TG_ANYCONNECT type remote-access
tunnel-group TG_ANYCONNECT general-attributes
address-pool MOBILE_VPN_POOL
default-group-policy GP_ANYCONNECT
tunnel-group TG_ANYCONNECT_ webvpn-attributes
group-alias VPN enable

 

same-security-traffic permit intra-interface

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to mikedeyoung

‎12-18-2019 12:41 PM

So what is the object OUTSIDE_ALL_ADDRESS_SPACE? Traffic appears to be matching this NAT rule. Potentially your NAT rule for the RAVPN needs moving above this other NAT rule.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎12-18-2019 12:31 PM

Hi,
Can you run packet-tracer from the CLI to simulate traffic and provide the output for review.
0 Helpful

Go to solution
mikedeyoung
Level 1
Level 1
In response to Rob Ingram

‎12-18-2019 12:33 PM

FIREWALL# packet-tracer input ISP1 tcp 10.252.252.1 49152 1.1.1.1 53

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (ISP1,ISP1) source static OUTSIDE_ALL_ADDRESS_SPACE
OUTSIDE_ALL_ADDRESS_SPACE destination static MOBILE_VPN_POOL_BBC
MOBILE_VPN_POOL_BBC
Additional Information:
NAT divert to egress interface ISP1
Untranslate 1.1.1.1/53 to 1.1.1.1/53

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: ISP1
input-status: up
input-line-status: up
output-interface: ISP1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mikedeyoung

‎12-18-2019 12:41 PM

So what is the object OUTSIDE_ALL_ADDRESS_SPACE? Traffic appears to be matching this NAT rule. Potentially your NAT rule for the RAVPN needs moving above this other NAT rule.
0 Helpful

Go to solution
mikedeyoung
Level 1
Level 1
In response to Rob Ingram

‎12-18-2019 12:43 PM

Thank you! That fixed it.
0 Helpful
Customers Also Viewed These Support Documents