Solved: Re: Anyconnect via site to site from a 2nd firewall

CT_Dude · ‎05-22-2012

Hi

Wonder if someone can shed some light.

Have the following

SITE A SITE B

FW1 network 192.168.0.1 255.255.255.0 with Cisco VPN client (172.100.200.x/24) --(site to site VPN tunnel)-- FW1 network 192.168.1.x 255.255.255.0

FW 2 network 192.168.0.2 255.255.255.0 with Anyconnect cliets (172.100.100.x/24)

What I need to accomplish is to get the Anyconnect clients to see the SITE B network when connecting via the Anyconnect client from outside the network.

Got the Cisco VPN client working after a day messing around with the access-lists and no NAT’s and same security traffic command.

Also tried adding routes on both firewalls but got an error about asymmetric.

Wonder if it will even be possible to get the Anyconnect clients to access the network in site B when connected to a 2^nd firewall while the site to site vpn is setup on the 1^st.

Hope someone can show me the light at the end of the tunnel.

rizwanr74 · ‎05-22-2012

On SiteA

access-list nonat-outside extended permit ip 172.100.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat-outside extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

nat (outside) 0 access-list nonat-outside

Also please be sure to include in the crypto ACL between SiteA and SiteB.

access-list outside_1_cryptomap extended permit ip 172.100.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

Now on your SiteB

Also please be sure to include in the crypto ACL between SiteA and SiteB.

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

Let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

View solution in original post

Julio Carvajal · ‎05-22-2012

Hello,

I would be more than glad to help but I cannot understand your deployment, can you share a diagram.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rizwanr74 · ‎05-22-2012

On SiteA

access-list nonat-outside extended permit ip 172.100.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat-outside extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

nat (outside) 0 access-list nonat-outside

Also please be sure to include in the crypto ACL between SiteA and SiteB.

access-list outside_1_cryptomap extended permit ip 172.100.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

Now on your SiteB

Also please be sure to include in the crypto ACL between SiteA and SiteB.

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

Let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

CT_Dude · ‎05-30-2012

Hi Rizwan

Thank you for your reply.

Was not 100% sure what needs to be added to the nonat and access-lists.

Got this working. But what I need to add is tunnel all traffic to the firewall where vpn is connected to so internet traffic goes via FW public ip.

Will this be possible as well?

CT_Dude · ‎05-30-2012

Hi

Followed the instructions on :

https://supportforums.cisco.com/docs/DOC-11640

These helped me sort out the VPN U-turn as this guy called it..

rizwanr74 · ‎05-30-2012

"But what I need to add is tunnel all traffic to the firewall where vpn is connected to so internet traffic goes via FW public ip."

Try this...

nat (outside) 1 172.100.200.0 255.255.255.0

nat (outside) 1 172.100.100.0 255.255.255.0

The highlighted "1" in the two above statement must corresponding with your outside global command, which mean if your global outisde index number 99, then your highlighted "1" must be replace with 99.

I am sorry for the late reply. For some reason, I do not receive email alerts for any thread any longer from Cisco Support Community.

I do this as a labor of love, I hope you can understand.

thanks

Rizwan Rafeek