cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2281
Views
115
Helpful
77
Replies
Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

I assume it's an ASA.

You would need the following commands to gain internet access.

We need to hairpin traffic for Anyconnect users.

 

same-security-traffic permit intra-interface

 

object network obj-AnyconnectPool
nat (outside,outside) dynamic interface

where obj-AnyconnectPool is the Anyconnect Pool network

 

 

 

Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

It is a head end asa I already have the permit intra interface traffic.
I can try the NAT you suggest. Having a hard time imagining how that will allow the traffic to inside I will try in an hour. Thank you
Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

The NAT I suggested is to have internet access for the Anyconnect users since you mentioned they lose Internet access, once they connect to Anyconnect (with TunnelAll).

For Internal access, you can exempt Anyconnect Traffic using this NAT:

nat (inside,outside) source static any any destination static obj-Anyconnect obj-Anyconnect

Regards,

Aditya


Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

With the tunnel all can they have both access to inside and be allowed to the internet but have the traffic go out the ASA for the internet not their home network?
Also as far as routing. Would you add a route
There in the ASA or is injecting a route down stream suggested.
Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Thats correct.

 

TunnelAll means the traffic has to reach the headend (ASA) and from there we are routing the traffic (with the use of Dynamic PAT on the outside interface) to the internet.

 

You would need a reverse-route (for the pool)  on the downstream device.

 

Something like this:

 

ip route x.x.x.x mask <ASA inside interface IP>

 

 

Regards,

 

Aditya

Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

I am already using that NAT for inside access - how do allow the IP pool for AnyConnect to be allowed to the internet via the headend device.

The client connects to AnyConnect- receives and IP address from the AnyConnect IP pool.

with the NAT below they can reach internal networks but NOT the INTERNET. [I replaced the "any " with an internal object group.]

nat (inside,outside) source static any any destination static obj-Anyconnect obj-Anyconnect

What EXACTLY is needed to allow that AnyConnect IP pool to ALSO go to the internet? Because this NAT is not allowing the client out to the internet???

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Hi,

 

The following guide details all the steps you need to achieve this: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

 

Please have a look and let us know if you have any questions.

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

I already mentioned this in my earlier post.

Use this NAT:

object network obj-AnyconnectPool
nat (outside,outside) dynamic interface

Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

So have 2 NAT statements for the AnyConnect IP pool?


Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Yes one for internal network access and one for Internet access.
Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

I wanted to say THANK YOU. The last link you provided was exactly what I needed! I still need to figure the back end routing but I am very happy to report that AnyConnect is working in the Tunnelall configuration for me thanks to you.
Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Happy to help.
Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

I want to send audio material that I have on my computer to participants in my meetings. I want them to be able to listen to extracts that I select. Is this possible?

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

Hello

I need to create new VLAN02 for guest WIFI and set up some rules to restrict access to some IP address.

My ASA5506 is in BVI mode.

The current ASA interfaces are like this;

BVI1 – inside

GIG1/1 -  outside -

GIG1/2 -  inside_1 -

GIG1/3 -  inside_2 -

GIG1/4 -  inside_3 -

GIG1/5 -  inside_4 -

GIG1/6 -  inside_5 -

GIG1/7 -  inside_6 -

GIG1/8 -  inside_7 -

Management1/1 -   

 

I want to assign GIG1/5 for VLAN02 as guest Wi-Fi and assign and IP address for this new VLAN.

What is the best practice to do it? Please.

Is it possible to demonstrate the setting from ASDM?