I know I am close...
I have installed and configured OpenConnect, to connect to a remote Cisco ASA firewall. It is using my user account and pswd I would normally use with AnyConnect. I see the routes showing up in OPNsense but I cannot ping the remote side from my PC. What am I missing...is it a firewall rule?
Do you see packets traversing the interface? Anything in logs at ASA side?
Quote from: mimugmail on November 30, 2023, 08:18:57 AM
Do you see packets traversing the interface? Anything in logs at ASA side?
Unfortunately I have no access to the ASA on the other side. What I can tell you is when OpenConnect is active the routes for the devices behind the ASA are showing up in the routing table of my OPNsense firewall. I can also ping a device behind the ASA successfully from the Interfaces/Diagnostics/Ping section of OPNsense. When I try to ping the same device behind the ASA, from my PC on a subnet behind the OPNsense firewall, I get nothing. That is what led me to believe I am missing a firewall rule?
New question...
Do I need to add the OpenConnect tunnel as an interface, like I had to with OpenVPN?
You need to nat your LAN to the interface address for this
Quote from: mimugmail on December 01, 2023, 01:30:33 PM
You need to nat your LAN to the interface address for this
I would assume an outbound NAT? I would assume the source is the OpenConnect side and the destination is my LAN side? Anything else I am missing? I have never used Outbound NATs yet.
Source is LAN, Dest is your networks behind ASA and interface the openconnect one
Quote from: mimugmail on December 01, 2023, 05:35:21 PM
Source is LAN, Dest is your networks behind ASA and interface the openconnect one
Does this look proper? Do I need to define anything on the firewall rules interface?
Destination address must be a net behind the ASA where you want to go to, rest is fine
Quote from: mimugmail on December 01, 2023, 07:38:58 PM
Destination address must be a net behind the ASA where you want to go to, rest is fine
I must be missing something because that did not do it. Attached are the two screenshots of what I have configured, as well as the routes being seen in the System/Status/Routes table. Am I missing anything?
172.24.16 and 172.25.16 needs to be in destination address field in outbound nat ;)
Quote from: mimugmail on December 02, 2023, 12:10:02 AM
172.24.16 and 172.25.16 needs to be in destination address field in outbound nat ;)
And thats why you are the expert and I am mere mortal. Thank you for staying with me. Its up and passing traffic. I am now able to use VMware vCenter Converter to P2V a physical server sitting in a DC in Texas onto my ESXi server in my homelab. I needed to get a site VPN up and IPSec was giving me issues. Since I had the ASA I figured OpenConnect would be a simple way to do this....and with some work it is. The NAT should be added to the documentation. There is nothing in the documentation that calls this out: https://docs.opnsense.org/manual/how-tos/openconnect.html
Ohhh btw...thanks for all the plugins you support. I use a few of them, especially the Plex Custom Options. Very handy!!
Thx for the feedback 8)