Anyone have any first hand experience with this nonsense?
I have this setup and everything is working except for being able to reach hosts on the inside interface of the ASAv. I get the routes via AnyConnect, I can see the traffic hit the ASA but I get nothing back in terms of ICMP/SSH from the AnyConnect client. I can ping the instance from the inside interface of the ASAv so its got to be route or NAT related to the AnyConnect subnet.
I have done this a million times with physical ASAs but just cant get it working within AWS.
ip local pool AnyConnect 172.31.101.5-172.31.101.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.31.99.246 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 172.31.98.166 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
dhcp client route distance 254
ip address dhcp setroute
ws-01# show int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 172.31.99.246 YES CONFIG up up
GigabitEthernet0/1 172.31.98.166 YES CONFIG up up
Management0/0 172.31.100.117 YES DHCP up up
fwv-aws-01# show run nat
nat (outside,inside) source static oregon-ra-vpn-101 oregon-ra-vpn-101 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static oregon-ra-vpn-101 oregon-ra-vpn-101 no-proxy-arp
nat (outside,outside) source dynamic oregon-ra-vpn-101 interface
!
object network obj_any
nat (any,outside) dynamic interface
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 101; 1 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip any any (hitcnt=20) 0x28676dfa
access-list Employee-AnyConnect; 3 elements; name hash: 0xfc7860d8
access-list Employee-AnyConnect line 1 standard deny 10.0.0.0 255.0.0.0 (hitcnt=0) 0xd056da44
access-list Employee-AnyConnect line 2 standard permit 172.31.99.0 255.255.255.0 (hitcnt=0) 0xc402c5fd
access-list Employee-AnyConnect line 3 standard permit 172.31.100.0 255.255.255.0 (hitcnt=0) 0xd0c48284
access-list outside_access_in; 4 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit icmp any any object-group DM_INLINE_ICMP_1 (hitcnt=0) 0x28ee0b42
access-list outside_access_in line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x54b872f3
access-list outside_access_in line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0x03690eb3
access-list outside_access_in line 1 extended permit icmp any any unreachable (hitcnt=0) 0x5c2fa603
access-list outside_access_in line 2 extended deny ip any any (hitcnt=8) 0x2c1c6a65
Anyone got any ideas?
No comments:
Post a Comment