Solved: Re: Cisco AnyConnect to NAT for L2L tunnels

bhuffy · ‎10-02-2018

Hello all,

I'm looking to gather some thoughts to determine if this is possible or not.. I currently have an AnyConnect VPN configured on my ASA and it's working fine. I'd like to be able to be able to access my l2l offices without updating the phase2 networks on each remote office.

As far as I see it, I have two options:

Specify an AnyConnect range within my existing LAN subnet
NAT the AnyConnect hosts using an IP of the inside interface

I'd prefer to not pick a pool and overlap with the LAN subnet - I'd rather just NAT the AnyConnect traffic via the inside interface address. Is this something that is possible on the ASA? I've attempted to create a NAT rule for this traffic without success (outside -> outside NAT rule).

Marius Gunnerud · ‎10-03-2018

Your NAT statement looks fine. What equipment is on the remote site that you are trying to access? If you are restricting access to those devices, have you permitted access from 192.168.10.3 to those devices? Are you able to ping devices on the remote site?

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎10-02-2018

I am not entirely sure how the ASA will act if you use the inside IP as the NATed IP. I would suggest using a different internal IP for the NATed IP. For example, if the ASA is using .1 then use .2 and update your DHCP server to exclude .2 from the DHCP pool. Make sure that you also have the command same-security-traffic permit intra-interface configured if the AnyConnect ingress interface is the same interface that terminates the L2L VPNs.

--
Please remember to select a correct answer and rate helpful posts

bhuffy · ‎10-02-2018

Hi Marius, thanks for the reply. I did try using a spare IP on the inside during my testing without success. To confirm, I do have "same-security-traffic permit intra-interface" applied.

Marius Gunnerud · ‎10-02-2018

Could you post your full running-config, remove any usernames, passwords or public IPs.

--
Please remember to select a correct answer and rate helpful posts

bhuffy · ‎10-02-2018

Thanks for the reply. Here are the nat statements for the sslvpn. I am hung up on the second rule.

SSLVPN net - n_10.255.1.0_24
Remote office - n_192.168.21.0_24

Inside/local net - n_192.168.10.0_24
Unused IP on LAN for SNAT - h_192.168.10.3

# no-nat rule for lan (working fine)
nat (inside,outside) source static any any destination static n_10.255.1.0_24 n_10.255.1.0_24 no-proxy-arp route-lookup
# snat rule for l2l 
nat (outside,outside) source dynamic n_10.255.1.0_24 h_192.168.10.3 destination static n_192.168.21.0_24 n_192.168.21.0_24

Marius Gunnerud · ‎10-03-2018

Your NAT statement looks fine. What equipment is on the remote site that you are trying to access? If you are restricting access to those devices, have you permitted access from 192.168.10.3 to those devices? Are you able to ping devices on the remote site?

--
Please remember to select a correct answer and rate helpful posts

bhuffy · ‎10-03-2018

The remote peer is a small business vpn router (Linksys). The remote office is allowing the entire /24 and other hosts on the LAN are able to reach devices on the remote LAN (and vise versa). I'm going to see what sort of diagnostics I can perform on the peer. Thanks for the reply!

bhuffy · ‎10-04-2018

After reapplying the NAT statement, I found every to be working as expected.. I must've just overlooked something during my initial testing.