03-20-2020 10:10 PM - last edited on 03-24-2020 10:06 AM by Monica Lluis
You can ask your question on your own language:
Español | Português | Français | Русский | 日本語 | 简体中文 |
Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.
This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.
To participate in this event, please use the button below to ask your questions
Ask questions from Friday, March 20 to Friday, April 3, 2020
Divya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
04-01-2020 02:29 AM
I assume it's an ASA.
You would need the following commands to gain internet access.
We need to hairpin traffic for Anyconnect users.
same-security-traffic permit intra-interface
object network obj-AnyconnectPool
nat (outside,outside) dynamic interface
where obj-AnyconnectPool is the Anyconnect Pool network
04-01-2020 03:42 AM
04-01-2020 04:00 AM
04-01-2020 04:09 AM
04-01-2020 06:14 AM
Thats correct.
TunnelAll means the traffic has to reach the headend (ASA) and from there we are routing the traffic (with the use of Dynamic PAT on the outside interface) to the internet.
You would need a reverse-route (for the pool) on the downstream device.
Something like this:
ip route x.x.x.x mask <ASA inside interface IP>
Regards,
Aditya
04-01-2020 07:28 AM
I am already using that NAT for inside access - how do allow the IP pool for AnyConnect to be allowed to the internet via the headend device.
The client connects to AnyConnect- receives and IP address from the AnyConnect IP pool.
with the NAT below they can reach internal networks but NOT the INTERNET. [I replaced the "any " with an internal object group.]
nat (inside,outside) source static any any destination static obj-Anyconnect obj-Anyconnect
What EXACTLY is needed to allow that AnyConnect IP pool to ALSO go to the internet? Because this NAT is not allowing the client out to the internet???
04-01-2020 07:39 AM
Hi,
The following guide details all the steps you need to achieve this: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
Please have a look and let us know if you have any questions.
04-01-2020 08:39 AM
04-01-2020 08:46 AM
04-01-2020 09:10 AM
04-02-2020 08:47 AM
04-02-2020 09:34 AM
04-02-2020 02:28 PM
I want to send audio material that I have on my computer to participants in my meetings. I want them to be able to listen to extracts that I select. Is this possible?
04-02-2020 07:27 PM
04-02-2020 11:45 PM
Hello
I need to create new VLAN02 for guest WIFI and set up some rules to restrict access to some IP address.
My ASA5506 is in BVI mode.
The current ASA interfaces are like this;
BVI1 – inside
GIG1/1 - outside -
GIG1/2 - inside_1 -
GIG1/3 - inside_2 -
GIG1/4 - inside_3 -
GIG1/5 - inside_4 -
GIG1/6 - inside_5 -
GIG1/7 - inside_6 -
GIG1/8 - inside_7 -
Management1/1 -
I want to assign GIG1/5 for VLAN02 as guest Wi-Fi and assign and IP address for this new VLAN.
What is the best practice to do it? Please.
Is it possible to demonstrate the setting from ASDM?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide