cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5946
Views
115
Helpful
77
Replies
ciscomoderator
Community Manager

Community Ask Me Anything - Secure Remote Workers

You can ask your question on your own language:

Español  Português Français Русский  日本語 简体中文

Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.

This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.

To participate in this event, please use the Join the Discussion : Cisco Ask the Expertbutton below to ask your questions

Ask questions from Friday, March 20 to Friday, April 3, 2020

Featured experts

divyanai.jpgDivya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.

 

jonnoble.jpgJonny Noble leads the Technical Marketing team for Cloud Security at Cisco, with expertise in Cisco Umbrella and surrounding technologies. For more than 20 years, Jonny has obtained experience in customer-facing disciplines for global hi-tech organizations. He also has rich experience in presenting breakout sessions and proctoring labs at Cisco Live events along with representing Cisco at numerous customer and partner events, trade shows, and exhibitions. Jonny holds degrees in Electronics, Sociology, a Business MBA, and is CISSP certified.

 

adganjoo.jpgAditya Ganjoo is a Technical Marketing Engineer in Bangalore, India. He has been working with Cisco for the past seven years in Security domains such as Firewall, VPN and AAA. Aditya has delivered trainings on ASA and VPN technologies. He holds a Bachelor's degree in Information Technology. Additionally, he is a CCIE in Security (CCIE#58938). He has been a consistent contributor on Cisco Support Community and has delivered multiple sessions at Cisco Live.

 

Due to the anticipated volume for this high in-demand event, Divya, Aditya, Jonny might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

77 REPLIES 77

I assume it's an ASA.

You would need the following commands to gain internet access.

We need to hairpin traffic for Anyconnect users.

 

same-security-traffic permit intra-interface

 

object network obj-AnyconnectPool
nat (outside,outside) dynamic interface

where obj-AnyconnectPool is the Anyconnect Pool network

 

 

 

It is a head end asa I already have the permit intra interface traffic.
I can try the NAT you suggest. Having a hard time imagining how that will allow the traffic to inside I will try in an hour. Thank you

The NAT I suggested is to have internet access for the Anyconnect users since you mentioned they lose Internet access, once they connect to Anyconnect (with TunnelAll).

For Internal access, you can exempt Anyconnect Traffic using this NAT:

nat (inside,outside) source static any any destination static obj-Anyconnect obj-Anyconnect

Regards,

Aditya


With the tunnel all can they have both access to inside and be allowed to the internet but have the traffic go out the ASA for the internet not their home network?
Also as far as routing. Would you add a route
There in the ASA or is injecting a route down stream suggested.

Thats correct.

 

TunnelAll means the traffic has to reach the headend (ASA) and from there we are routing the traffic (with the use of Dynamic PAT on the outside interface) to the internet.

 

You would need a reverse-route (for the pool)  on the downstream device.

 

Something like this:

 

ip route x.x.x.x mask <ASA inside interface IP>

 

 

Regards,

 

Aditya

I am already using that NAT for inside access - how do allow the IP pool for AnyConnect to be allowed to the internet via the headend device.

The client connects to AnyConnect- receives and IP address from the AnyConnect IP pool.

with the NAT below they can reach internal networks but NOT the INTERNET. [I replaced the "any " with an internal object group.]

nat (inside,outside) source static any any destination static obj-Anyconnect obj-Anyconnect

What EXACTLY is needed to allow that AnyConnect IP pool to ALSO go to the internet? Because this NAT is not allowing the client out to the internet???

Hi,

 

The following guide details all the steps you need to achieve this: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

 

Please have a look and let us know if you have any questions.

I already mentioned this in my earlier post.

Use this NAT:

object network obj-AnyconnectPool
nat (outside,outside) dynamic interface

So have 2 NAT statements for the AnyConnect IP pool?


Yes one for internal network access and one for Internet access.

I wanted to say THANK YOU. The last link you provided was exactly what I needed! I still need to figure the back end routing but I am very happy to report that AnyConnect is working in the Tunnelall configuration for me thanks to you.

Happy to help.
ORI1ori1
Beginner

I want to send audio material that I have on my computer to participants in my meetings. I want them to be able to listen to extracts that I select. Is this possible?

saids3
Beginner

Hello

I need to create new VLAN02 for guest WIFI and set up some rules to restrict access to some IP address.

My ASA5506 is in BVI mode.

The current ASA interfaces are like this;

BVI1 – inside

GIG1/1 -  outside -

GIG1/2 -  inside_1 -

GIG1/3 -  inside_2 -

GIG1/4 -  inside_3 -

GIG1/5 -  inside_4 -

GIG1/6 -  inside_5 -

GIG1/7 -  inside_6 -

GIG1/8 -  inside_7 -

Management1/1 -   

 

I want to assign GIG1/5 for VLAN02 as guest Wi-Fi and assign and IP address for this new VLAN.

What is the best practice to do it? Please.

Is it possible to demonstrate the setting from ASDM?

Content for Community-Ad