Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2474
Views
0
Helpful
7
Replies

Access to LAN Site to Site From ANY Connect on Cisco ASA

Go to solution
Santimac
Level 1
Level 1

‎06-19-2019 07:02 AM - edited ‎02-21-2020 09:13 AM

Hello,

I have 2 LANs connected across a VPN Site to Site with 2 Cisco ASA 5500, it is working OK, but on one of the ASAs the AnyConnect users need to connect to the other LAN accross the VPN, is that possible, here are a basic diagram that I made for a better explanation.

FW.png

 

Thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
santimac88
Level 1
Level 1

‎11-15-2019 01:25 PM

Solution to this:

Steps to perform at LAN 1 ASA
1. Add Anyconnect VPN Subnet to Crypto ACL to allow for site to site VPN .
2. Allow access from Anyconnect VPN subnet to LAN2 Subnet in Anyconnect VPN.
3. Add No NAT for Anyconnect VPN Subnet.


Steps to perform at LAN 2 ASA
1. Add Anyconnect VPN Subnet to Crypto ACL to allow for site to site VPN .

Run these commanbds
- same-security-traffic permit intra-interface

 

- same-security-traffic permit inter-interface

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Spooster IT Services
Level 7
Level 7

‎06-19-2019 08:07 AM - edited ‎06-20-2019 02:23 PM

Hi,

Yes, We can do it.

Steps to perform at LAN 1 ASA
1. Add Anyconnect VPN Subnet to Crypto ACL to allow for site to site VPN .
2. Allow access from Anyconnect VPN subnet to LAN2 Subnet in Anyconnect VPN.
3. Add No NAT for Anyconnect VPN Subnet.

Steps to perform at LAN 2 ASA
1. Add Anyconnect VPN Subnet to Crypto ACL to allow for site to site VPN .

Spooster IT Services Team
0 Helpful

Go to solution
Santimac
Level 1
Level 1
In response to Spooster IT Services

‎06-20-2019 01:27 PM

Could you explain me a little bit more step 2?

 

2. Allow access from Anyconnect VPN subnet to LAN2 Subnet in Anyconnect VPN. 

 

In Anyconnect?

 

Thanks

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to Santimac

‎06-20-2019 02:26 PM

That looks to be some typo, You can check now.

Spooster IT Services Team
0 Helpful

Go to solution
santimac88
Level 1
Level 1
In response to Spooster IT Services

‎11-15-2019 12:18 PM

Do I need to add a Route on the ASA LAN 1 to the LAN 2? I dont think so because the connection is on the same FW.

I think I already added the NAT Exemption but still not working.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎06-19-2019 08:16 AM

Hi,
Yes this is possible.

You need to add the AnyConnect VPN Pool network to the crypto ACL on both ASAs.
You will also need to add a no-NAT/NAT exemption rule on the LAN1 ASA to ensure the traffic from the AnyConnect VPN Pool to the LAN2 network(s) is not NATTED.

HTH
0 Helpful

Go to solution
Santimac
Level 1
Level 1
In response to Rob Ingram

‎10-28-2019 06:39 AM

How can I add the NO-NAT/NAT Rule, at this moment, this the the rule that has been created on automatically after I created the VPN Site to Site. Where am I going to create that rule on?

Untitled.png

 

 

 

 

0 Helpful

Go to solution
santimac88
Level 1
Level 1

‎11-15-2019 01:25 PM

Solution to this:

Steps to perform at LAN 1 ASA
1. Add Anyconnect VPN Subnet to Crypto ACL to allow for site to site VPN .
2. Allow access from Anyconnect VPN subnet to LAN2 Subnet in Anyconnect VPN.
3. Add No NAT for Anyconnect VPN Subnet.


Steps to perform at LAN 2 ASA
1. Add Anyconnect VPN Subnet to Crypto ACL to allow for site to site VPN .

Run these commanbds
- same-security-traffic permit intra-interface

 

- same-security-traffic permit inter-interface

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card