topic Re: Anyconnect configuration Cisco 1010 in Network Security

Anyconnect configuration Cisco 1010

saids3 — Tue, 07 Mar 2023 11:47:37 GMT

Hello

I don't have the option of selecting inside the interface to enable the exempt option for anyconnect!!

Should I disable it?

Do I need any specific NAT or ACL to enable anyconnect?

Re: Anyconnect configuration Cisco 1010

Rob Ingram — Tue, 07 Mar 2023 11:56:48 GMT

@saids3 yes you will likely need a NAT exemption rule, otherwise traffic would be unintentially translated behind the outside interface.

What is the configuration of your interfaces?

Are you actually using a BVI?

If you have VLANs configured, you specify the VLAN in the NAT rule not the physical interface.

Re: Anyconnect configuration Cisco 1010

saids3 — Tue, 07 Mar 2023 12:04:23 GMT

Yes I'm using BV1

Here is my VPN-NAT ----

Re: Anyconnect configuration Cisco 1010

Rob Ingram — Tue, 07 Mar 2023 12:38:45 GMT

@saids3 almost looks ok, just change the source address under both original packet and translated packet to an object representing the network behind inside_2 interface (rather than using any) - then you have a NAT exemption rule between the inside network and the VPN pool. You will need to duplicate the NAT rule for the other BVI interfaces (inside_3, inside_4 etc).

Re: Anyconnect configuration Cisco 1010

saids3 — Wed, 08 Mar 2023 07:21:03 GMT

@Rob Ingram Hello - I have placed the NAT on the top -- its working fine but now the issue is the second NAT OVPN_DSM stopped working!!

Re: Anyconnect configuration Cisco 1010

Rob Ingram — Wed, 08 Mar 2023 08:01:53 GMT

@saids3 you need to be more specific in your NAT rules. Don't use "any" for interface or the networks, use the specific interface and a network object - otherwise you will have unintended NAT translations.

Re: Anyconnect configuration Cisco 1010

saids3 — Wed, 08 Mar 2023 09:00:32 GMT

Still same issue - please see the nat setting the first nat is working second not and if I swap the first always works. My network is based on BVI ---

Re: Anyconnect configuration Cisco 1010

Rob Ingram — Wed, 08 Mar 2023 09:07:42 GMT

@saids3 i thought the objective was to exempt VPN traffic? You need to specify the original and translated source addess as the same network object and the original and translated destination the same network object. This ensures VPN traffic is not unintentially translated.

Example:

Re: Anyconnect configuration Cisco 1010

saids3 — Wed, 08 Mar 2023 10:18:38 GMT

Sorry! but still not working! The good thing is nat number#2 still working!

Re: Anyconnect configuration Cisco 1010

Rob Ingram — Wed, 08 Mar 2023 10:24:06 GMT

@saids3 what is the relevance of the anyconnect connection failure in your screenshot?

Rule#1 would work for traffic from VLAN1 sourced from inside_8 to the VPN-POOL, for any user connected to the VPN. It would have no relevance to establish a VPN if thats what you mean?

Re: Anyconnect configuration Cisco 1010

saids3 — Thu, 09 Mar 2023 10:12:40 GMT

hello @Rob Ingram

any suggestion I need to VPN my network from outside -

I tried this but still failed!!