Reach remote S2S networks from Anyconnect on the ASA

rvarelac · ‎05-03-2016

Introduction

By design or to avoid multiples VPN endpoints, you might want to have the VPN client and S2S VPN on the same device and shared the networks between the 2 VPN tunnels.

With the following config , we simplify the configuration requirements and might provide a better performance to the user.

Requirements

ASA running 8.4 code and above
Anyconnect client 3.x or 4.x version.

Topology

.

Configuration required

ASA 1 Anyconnect config

.

ASA1(config)# webvpn
ASA1(config-webvpn)# enable outside
ASA1(config-webvpn)# Anyconnect image disk0:/anyconnect-win-4.1.xxxxxx-k9.pkg
ASA1(config-webvpn)# Anyconnect enable

////////////////////////// Enable SSL and Anyconnect ///////////////////////////////////////////////////

ASA1(config)# ip local pool Anyconnect 10.10.10.0-10.10.10.254 mask 255.255.255.0

////////////////////////// Define the Anyconnect pool ///////////////////////////////////////////////////

ASA1(config)# access-list AC-nets standard permit 192.168.10.0 255.255.255.0
ASA1(config)# access-list AC-nets standard permit 192.168.20.0 255.255.255.0

//////////// Define the remote networks you want to reach //////////////////////////////////////

ASA1(config)# group-policy Anyconnect internal
ASA1(config)# group-policy Anyconnect attributes
ASA1(config-group-policy)# dns-server 4.4.4.4 8.8.8.8
ASA1(config-group-policy)# split-tunnel-policy tunnelspecified
ASA1(config-group-policy)# split-tunnel-network-list value AC-nets

ASA1(config)#tunnel-group Anyconnect type remote-access
ASA1(config)#tunnel-group Anyconnect general-attributes
ASA1(config-tunnel-general)# default-group-policy Anyconnect
ASA1(config-tunnel-general)# address-pool Anyconnect

//////////// Configure the Anyconnect policy //////////////////////////////////////

.

S2S config

ASA1(config)# access-list VPN_ACL extended permit ip 10.10.10.0 255.255.255.0 192.168.20.0 255.255.255.0
ASA1(config)# access-list VPN_ACL extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

//////////// Define the Access-list for the S2S tunnel //////////////////////////////////////

ASA1(config)#crypto map S2S-tunnel 1 set transform-set ESP-3DES-SHA
ASA1(config)#crypto map S2S-tunnel 1 match address VPN_ACL
ASA1(config)#crypto map S2S-tunnel 1 set peer 2.2.2.2
ASA1(config)#crypto map S2S-tunnel interface outside

//////////////////////////////Configure the S2S tunnel ////////////////////////////////////////////////////////

ASA1(config)# same-security-traffic permit intra-interface

//////////////////////////// Enable hair-pinning on the ASA ///////////////////////////////////////////////////////

ASA1(config)# object-group network remote-nets
ASA1(config-network)# network-object 192.168.20.0 255.255.255.0

ASA1(config)# object-group network AC-pool
ASA1(config-network)# network-object 10.10.10.0 255.255.255.0

ASA1(config)# Nat (outside,outside) source static AC-pool AC-pool destination station remote_nets remote_nets route-lookup

////////////////////// Configure a NO-NAT rule for this traffic ////////////////////////////////////////

.

ASA 2 Site-to-Site Configuration

ASA2(config)# access-list VPN_ACL extended permit 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0
ASA2(config)# access-list VPN_ACL extended permit 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

//////////// Define the Access-list for the S2S tunnel //////////////////////////////////////

ASA2(config)#crypto map S2S-tunnel 1 set transform-set ESP-3DES-SHA
ASA2(config)#crypto map S2S-tunnel 1 match address VPN_ACL
ASA2(config)#crypto map S2S-tunnel 1 set peer 1.1.1.1
ASA2(config)#crypto map S2S-tunnel interface outside

//////////////////////////////Configure the S2S tunnel ////////////////////////////////////////////////////////

.

Hope it helps

-Randy-