Introduction By design or to avoid multiples VPN endpoints, you might want to have the VPN client and S2S VPN on the same device and shared the networks between the 2 VPN tunnels. With the following config , we simplify the configuration requirements and might provide a better performance to the user. Requirements ASA running 8.4 code and above Anyconnect client 3.x or 4.x version. Topology  . . Configuration required ASA 1 Anyconnect config  . ASA1(config)# webvpn ASA1(config-webvpn)# enable outside ASA1(config-webvpn)# Anyconnect image disk0:/anyconnect-win-4.1.xxxxxx-k9.pkg  ASA1(config-webvpn)# Anyconnect enable ////////////////////////// Enable SSL and Anyconnect /////////////////////////////////////////////////// ASA1(config)# ip local pool Anyconnect 10.10.10.0-10.10.10.254 mask 255.255.255.0 ////////////////////////// Define the Anyconnect pool /////////////////////////////////////////////////// ASA1(config)# access-list AC-nets standard permit 192.168.10.0 255.255.255.0 ASA1(config)# access-list AC-nets standard permit 192.168.20.0 255.255.255.0 ////////////  Define the remote networks you want to reach  ////////////////////////////////////// ASA1(config)# group-policy Anyconnect internal ASA1(config)# group-policy Anyconnect attributes ASA1(config-group-policy)# dns-server 4.4.4.4 8.8.8.8 ASA1(config-group-policy)# split-tunnel-policy tunnelspecified ASA1(config-group-policy)# split-tunnel-network-list value AC-nets ASA1(config)#tunnel-group Anyconnect type remote-access ASA1(config)#tunnel-group Anyconnect general-attributes ASA1(config-tunnel-general)# default-group-policy Anyconnect ASA1(config-tunnel-general)# address-pool Anyconnect //////////// Configure the Anyconnect policy ////////////////////////////////////// . S2S config ASA1(config)# access-list VPN_ACL extended permit ip 10.10.10.0 255.255.255.0 192.168.20.0 255.255.255.0 ASA1(config)# access-list VPN_ACL extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 ////////////  Define the Access-list for the S2S tunnel  ////////////////////////////////////// ASA1(config)#crypto map S2S-tunnel 1 set transform-set ESP-3DES-SHA ASA1(config)#crypto map S2S-tunnel 1 match address VPN_ACL ASA1(config)#crypto map S2S-tunnel 1 set peer 2.2.2.2 ASA1(config)#crypto map S2S-tunnel interface outside ////////////////////////////// Configure the S2S tunnel    //////////////////////////////////////////////////////// ASA1(config)#  same-security-traffic permit intra-interface //////////////////////////// Enable hair-pinning on the ASA     /////////////////////////////////////////////////////// ASA1(config)# object-group network remote-nets ASA1(config-network)# network-object 192.168.20.0 255.255.255.0 ASA1(config)# object-group network AC-pool ASA1(config-network)# network-object 10.10.10.0 255.255.255.0 ASA1(config)# Nat (outside,outside) source static AC-pool AC-pool destination station remote_nets remote_nets route-lookup ////////////////////// Configure a NO-NAT rule for this traffic     //////////////////////////////////////// . . . ASA 2 Site-to-Site Configuration  ASA2(config)# access-list VPN_ACL extended permit 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0 ASA2(config)# access-list VPN_ACL extended permit 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 //////////// Define the Access-list for the S2S tunnel ////////////////////////////////////// ASA2(config)#crypto map S2S-tunnel 1 set transform-set ESP-3DES-SHA ASA2(config)#crypto map S2S-tunnel 1 match address VPN_ACL ASA2(config)#crypto map S2S-tunnel 1 set peer 1.1.1.1 ASA2(config)#crypto map S2S-tunnel interface outside ////////////////////////////// Configure the S2S tunnel    //////////////////////////////////////////////////////// . . Hope it helps -Randy- ... View more

Introduction  An existing VPN tunnel requires active traffic every so often to keep the tunnel up and running If the tunnel is used for backup purposes and the traffic is generated only once per day , most likely the tunnel will remain down until new traffic is generated.  If you want to avoid this behavior, you can use IP SLA to generate traffic across the tunnel and keep the connection up.  Requirements Cisco IOS running 12.x and above Cisco ASA running 8.4 and above Topology Scenario On this example , the IP SLA is configured on the router at the Site A, the SLA will ping the IP address 192.168.0.1 at the remote site from the interface Fastethernet 0/1 which have an IP address that is part of the interesting traffic for this VPN. The ping will be triggered every 5 minutes with a timeout of 3 seconds. Configuration Required Site A Configuration Router(config)# ip sla 1 Router(config-ip-sla)# icmp-echo 192.168.0.1 source-interface fa0/1 Router(config-ip-sla-echo)# frequency 300 Device(config-ip-sla-echo)# timeout 3000 Using the previous topology but with the same concept, we can configure the IP SLA for the same purpose on the ASA. The only ASA limitation with IP SLA is that we cannot source the interface of the ICMP echo packet, the ASA can only determine the egress interface for the packet, keeping this in mind the outside interface of the ASA must be part of the interesting traffic in order to work properly this design. Another option is to initiate the IP SLA from a device behind the ASA a router or switch for example.  ASA configuration ASA(config)#sla monitor 123 ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.0.1 interface outside ASA(config-sla-monitor-echo)#num-packets 3 ASA(config-sla-monitor-echo)# frequency 300 ASA(config-sla-monitor-echo)# threshold 3000 Hope it helps -Randy- ... View more

Recommendation about this feature This feature works only between the following platforms: •Two Cisco ASA 5500 series security appliances •A Cisco ASA 5500 series security appliance and a Cisco VPN 3000 concentrator •A Cisco ASA 5500 series security appliance and a security appliance running Cisco PIX security appliance software v7.0, or higher A backup Site-to-Site tunnel between a Cisco ASA and a 3rd party device is not supported. More information about this feature on the link below http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2238363 Requirements: Cisco ASA firewall running 8.3 code or above Scenario On this example we are going to use the following topology as our case scenario: Configuration required  ASA 1 Configuration ASA1(config)#crypto map S2S-tunnel 1 set transform-set esp-3des-sha ASA1(config)#crypto map S2S-tunnel 1 match address ASA1toASA2 ASA1(config)#crypto map S2S-tunnel 1 set connection-type originate-only ASA1(config)#crypto map S2S-tunnel 1 set peer 2.2.2.2 3.3.3.3 ASA1(config)#crypto map S2S-tunnel interface outside ASA 2 Configuration ASA2(config)#crypto map S2S-tunnel 1 set transform-set esp-3des-sha ASA2(config)#crypto map S2S-tunnel 1 match address ASA2toASA1 ASA2(config)#crypto map S2S-tunnel 1 set connection-type answer-only ASA2(config)#crypto map S2S-tunnel 1 set peer 1.1.1.1 ASA2(config)#crypto map S2S-tunnel interface outside ASA 3 Configuration ASA3(config)#crypto map S2S-tunnel 1 set transform-set esp-3des-sha ASA3(config)#crypto map S2S-tunnel 1 match address ASA3toASA1 ASA3(config)#crypto map S2S-tunnel 1 set connection-type answer-only ASA3(config)#crypto map S2S-tunnel 1 set peer 1.1.1.1 ASA3(config)#crypto map S2S-tunnel interface outside Hope it helps -Randy- ... View more