This document describes the scenario where user wants implement Site to Site using AnyConnect client.
ASA 55xx: :2
IOS V 8.x
User need general guidance in configuring 2 ASAs connected via site-to-site VPN and then have remote AnyConnect client connect to far end site.Both ASAs are set up for site-to-site VPNs as shown on the attached diagram. Hosts on each LAN segment can ping across the site-to-site tunnel.
One of the ASAs also acts as a terminating endpoint for AnyConnect clients. Remote AnyConnect users can successfully see items on the 192.168.1.X subnet shown on the attached (and items behind the router not shown). Outside interface of the ASAs are the terminating points for all cyrpto.
Where user is struggling in configuring the ASAs so the Remote AnyConnect users can see the 192.168.2.X network.
Few things: These IPs are not production IPs and don't want to include config outputs. No routing other than static routing is configured between ASAs and any layer-3 devices. For those users in the 192.168.1.X subnet their default gateway is configured to be the Router 192.168.1.1. For those users in the 192.168.2.X network their default gateway is configured to be the ASA 192.168.2.1. Attached diagram generally shows how user want to set up.
User need to allow the AnyConnect clients (that connect to the ASA), to communicate across the IPsec tunnel to the other ASA and reach 192.168.2.x ?
What you should do is in the crypto ACL of the Site-to-Site tunnel include another ACE with the 192.168.102.x (which is the pool of the AnyConnect clients)?
Let';s say this is the user's ACL for split tunnel for the AnyConnect clients
access-list split permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
So, you should also include:
access-list split permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0
Let's say that you have this ACL as the crypto ACL for the Site-to-Site tunnel
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
So, add this line:
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0
To allow the ASA to redirect back out the same interface traffic that it receives, you should add:
same-security-traffic permit intra-interface
Also, check the NAT configuration to include these networks accordingly.
In the process of RMAing a 5508 that was running FTD code and wondering what the best way to replace it would be. The device was previously managed over a vpn tunnel and the management interface was used (used registration code and nat-id which I ha...
Hello Engineers and Professionals, I wonder Firepower can have multiple IPv4 pools for remote access VPN.I have one IPv4 pool for remote users, but I need different users account for vendors. For examples,Company Users: 192.168.1.20-192.168.1.20...
Hello. I know there's been plenty of topics regarding Windows based 802.1X computer authentication but none of them seem to provide an explanation for MacOS. I'm familiar with how 'user authentication' works on MacOS but struggling to understand...
I'm having some issues with Amp flagging some tmp files as malicious. I received 32 alerts from a single machine within an hour as Gen:Trojan.Heur.FU.RqZ@a0N@95j. The files are created by werfault.exe, which is a legitimate program. Werfault can run ...
Hi Do we have support for stateful failover of SITE to Site IPSEC tunnel on Multicontext mode.?I have pair of ASAs 5515-x with 9.8(2) i read the ASA Document...however still not clear. Guidelines for IPsec VPNsMulticontextContext Mode...