This document describes the scenario where user wants implement Site to Site using AnyConnect client.
ASA 55xx: :2
IOS V 8.x
User need general guidance in configuring 2 ASAs connected via site-to-site VPN and then have remote AnyConnect client connect to far end site.Both ASAs are set up for site-to-site VPNs as shown on the attached diagram. Hosts on each LAN segment can ping across the site-to-site tunnel.
One of the ASAs also acts as a terminating endpoint for AnyConnect clients. Remote AnyConnect users can successfully see items on the 192.168.1.X subnet shown on the attached (and items behind the router not shown). Outside interface of the ASAs are the terminating points for all cyrpto.
Where user is struggling in configuring the ASAs so the Remote AnyConnect users can see the 192.168.2.X network.
Few things: These IPs are not production IPs and don't want to include config outputs. No routing other than static routing is configured between ASAs and any layer-3 devices. For those users in the 192.168.1.X subnet their default gateway is configured to be the Router 192.168.1.1. For those users in the 192.168.2.X network their default gateway is configured to be the ASA 192.168.2.1. Attached diagram generally shows how user want to set up.
User need to allow the AnyConnect clients (that connect to the ASA), to communicate across the IPsec tunnel to the other ASA and reach 192.168.2.x ?
What you should do is in the crypto ACL of the Site-to-Site tunnel include another ACE with the 192.168.102.x (which is the pool of the AnyConnect clients)?
Let';s say this is the user's ACL for split tunnel for the AnyConnect clients
access-list split permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
So, you should also include:
access-list split permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0
Let's say that you have this ACL as the crypto ACL for the Site-to-Site tunnel
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
So, add this line:
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0
To allow the ASA to redirect back out the same interface traffic that it receives, you should add:
same-security-traffic permit intra-interface
Also, check the NAT configuration to include these networks accordingly.
Hi, I have 2 ASA5516 configured in failover mode.On the primary active firewall, I am able to copy an image to it via FTP and also do other things. On the Secondary standby firewall, I tried copying an image to its disk0, but I got the error; "C...
hi,i'll be configuring a pair of 5506-X for HA/failover.i know there's a caveat for its design starting on 9.7 code.https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html#id_66725i don't need FP in this case. my questi...
Hi good afternoonI should configure Cisco ISE RTC with Stealthwatch. I would like to know how should I use plus license (for pxgrid)?.I have 1000 base license, my question If I only use Cisco RTC without profiling, Should I purchase only 100 or 1000 plus ...
Take a look at the attached FirePower Access Control rule. Does the attached rule mean:FirePower, Access Control1) Block outbound connections for all SQL apps only on destination port 1433 or 2) Block outbound connection for all SQL apps on any ...
Hi Team, Need your assistance on the subject.We have a strange routing issue while connecting Cisco AnyConnect with Zscaler app running alongside > Zscaler app also add routes on the machine. It has its own virtual adapter> Issue we have i...