Hello everyone
I'm trying desperately to get clients via AnyConnect to an MX250 behind a PaloAlto.
Scenario:
Meraki cluster, virtual IP of WAN1 is IP 10.100.110.99/29.
The appliances themselves have 10.100.110.97/29 and 10.100.110.98/29 respectively.
VLAN 3521
Inbound Firewall Layer 3: ANY to ANY
On the MX, NO-NAT is enabled on WAN1.
Why? There are multiple VLANs on the MX. In order to create firewall rules for the individual LANs on the PaloAlto, these must arrive with an IP from the LAN and not with the NAT IP 10.100.110.99 of the MX.
The PaloAlto interface has the IP 10.100.110.100/29. VLAN is set.
Process:
Clients in local networks can access the Internet via WAN1->Palo Alto without any problems.
So outgoing connections work.
Now it's about incoming connections.
On the PaloAlto there is a PolicyBased Forwarding to get from the Meraki Cloud to the MX. That works too.
Now comes the AnyConnect problem.
On the PaloAlto there is a DNAT that sends incoming connections on port 444 (used for AnyConnect) over IP 10.100.110.100 to the MX 10.100.110.99.
These packages also arrive there. A package capture clearly shows me incoming connections from port 444 source 10.100.110.100, destination 10.100.110.99.
However, apparently no packages are going back to the PaloAlto from the MX.
There are no ACK packets, there is simply nothing, as if the MX discards the packets internally, but I can't change anything about it.
A capture on the Palo also shows no incoming data, no drops. It's just very, very quiet on the line.
Has anyone here already had experience with and/or has an idea of how I can get the scenario to run.
greeting
Meraki VPN Client does not work behind NAT.
HI
Thanks.
But this confuses me now. We had the setup with a Sophos UTM still working until a week ago.
The problem has only existed since we replaced the Sophos with the Palo Alto.
Ok, you would now say that the problem is the PA, because it worked before. The colleagues from PA see the problem with the MX as it does not give an answer.
And in between, as always, me.
Well, This was supposed to not work, but:
This is about AnyConnect, not the old L2TP over IPSec-Client, so there shouldn't be any issues.
Which protocol are you using? IKEv2 or SSL-VPN?
My mistake, anyway you already tried to perform a packet capture, just to confirm that the client is reaching the MX.
Hi,
i had already written in the opening of this thread that you can see in the capture that the packets arrive on the MX, but nothing goes back from there.
The way (successful):
PUBLIC IP -> NAT IP WAN IF -> WAN1 IP MX
12.34.56.78 -> 10.100.110.100 -> 10.100.110.99
Capture from the MX:
573 6.365300 10.100.110.100 10.100.110.99 TCP 70 [TCP Retransmission] 22785 → 444 [SYN] Seq=0 Win=64240 Len=0 MSS=1452 WS=256 SACK_PERM
So DNAT is done on the Palo side for incoming traffic on TCP/444? By default, MX is listening for AnyConnect connections on TCP/443. Can you check which port is used on the MX (Server settings -> AnyConnect Port)?
The setting was of course already adjusted in advance.
What about the statement that AnyConnect does not work with NAT?
Is it somehow possible now?
Just confused as I have already passed this statement and AnyConnect over PaloAlto (DNAT) is considered failed.
Hi
Where can I decide which protocol I use?
AnyConnect definitely wants to connect via SSL port 444.
443 is already taken for something else, hence 444.
Sorry, could have thought about this, so SSL-VPN is perfectly OK in this case.