Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
10
Helpful
7
Replies

Access the networks of the site to site in VPN Anyconnect Firepower

Valentin GOULET
Level 1
Level 1

‎01-20-2023 04:19 AM - edited ‎01-24-2023 07:39 AM

Good Morning,

Equipment: Firepower FTD1120 - V. 7.2.0-82

I have a local network in 192.168.1.0/24 and a site-to-site between a network 10.100.29.0/24 and 10.100.30.0/24.

I set up an Anyconnect VPN with a split tunneling of the network 192.168.1.0/24 so I access it well, by adding the 10.100.30.0/24 in split tunneling I do not access the equipment in 10.100.30.1 or 10.100.30.2 etc...

However, I have set up an ACL allowing access from Outside to the desired networks.

Thank you in advance for your feedback,

I am available to give you more information if necessary.

Labels:
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2023 04:30 AM

I am sure when you add IP in to split tunnel it will not via tuunel ? what is the need of split tunnel for  10.100.30.0/24

they already part of your network in site to site VPN, if you connecting one of the site, you can use that network to go 10.100.30.0/24 (by allowing in ACL)

hope i am understanding your requirement correctly.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Valentin GOULET
Level 1
Level 1
In response to balaji.bandi

‎01-20-2023 06:21 AM

When I connect to VPN I have an IP in 192.168.1.X.

This same network is NAT to 10.100.29.0/24. And there is an on-site site site between 10.100.29.0/24 (internal) and 10.100.30.0/24 (external)

When I am at the company I access the equipment 10.100.30.1 for example, but not in VPN.

0 Helpful

MHM Cisco World
VIP
VIP

‎01-20-2023 04:49 AM

PacketFlow.I/O: 2014

you need hairpin, please check the above link

0 Helpful

Valentin GOULET
Level 1
Level 1
In response to MHM Cisco World

‎01-24-2023 01:02 AM

Hey,

Thanks for the link.

That’s the par "ASA Hairpinning and TCP state bypass"t, just typing the same-security-traffic permit intra-interface command should allow despite that I have a split tunelling on the 192.168.1.0/24 to access the site’s network between 10.100.29.0/24 and 10.100.30.0/24?

This is for ASA, Does it work for a Firepower?

Valentin GOULET
Level 1
Level 1
In response to MHM Cisco World

‎01-24-2023 01:53 AM - edited ‎01-24-2023 07:01 AM

I added the following rule, but in VPN I still don’t have access to 10.100.30.0/24.

object network VPN_DHCP
nat (outside,outside) static interface

 

If i had "Allow All Traffic Over Tunnel", How do I get internet ?

 

Edit :

Ok the Hairpin permit to have internet Access in full Tunnel, but i don't have access to my network 10.100.30.0/24 ...

Or maybe the rule must be like this : 

object network VPN_DHCP
nat (outside,outside) static 10.100.30.0/24

 

0 Helpful

messymoko05
Level 1
Level 1

‎01-24-2023 01:04 AM

To access all the data about Mypascoconnect Login , communicate with one another. Pasco Parent Portal creates a cloud platform that benefits schools, teachers, students, and administrators may all join up for this portal.

Click here for more information: Pasco Parent Portal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents