cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
777
Views
0
Helpful
5
Replies
Beginner

Allow AnyConnect to access L2L VPN subnets

Hi,

 

I recently configured AnyConnect on ASA 5510, 5512 and 5505 with split-tunneling and it's working great. You can refer to the configuration below:

webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
ssl-server-check warn-on-failure

group-alias sslgroup_users enable

group-policy clientgroup internal
group-policy clientgroup attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIt-ACL

tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes

nat (inside,outside) source static 10.100.20.0-24 10.100.20.0-24 destination static 10.100.21.0-24 10.100.21.0-24

access-list SPLIt-ACL standard permit 10.100.20.0 255.255.255.0
access-list SPLIt-ACL standard permit 10.100.21.0 255.255.255.0

 

Question: I have multiple L2L VPNs configured on these ASAs. What I want to do is to access the resorces of those of L2L tunnels via Anyconnect. Is this do-able?

 

Thank you,

Abhi

Everyone's tags (7)
5 REPLIES 5
Highlighted

Re: Allow AnyConnect to access L2L VPN subnets

 

Hi @Abhijeet Kumar

 

I don't see why not. Once the packet gets decrypted and inside Firewall, it could go anywhere, including to another VPN tunnel. 

 What can prevent this from happen is routing, ACL and NAT. 

You can run a packet tracer and simulate that, then, you can see which one from the  above is preventing packets to get to the destination.

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

 

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

Highlighted
Beginner

Re: Allow AnyConnect to access L2L VPN subnets

Thank you for the quick reply but I would really appreciate if you could just guide me through this. Webvpn is pretty new to me and I do not wanna mess the production FW.

Highlighted

Re: Allow AnyConnect to access L2L VPN subnets

Just run the packet tracer. It does not change anything and will give you a good grasp on where packets stops.

 

 

-If I helped you somehow, please, rate it as useful.-

Highlighted
VIP Mentor

Re: Allow AnyConnect to access L2L VPN subnets

As mentioned, this is possible. What you need:

  1. the AnyConnect VPN-Pool has to be part of your crypto-ACL.
  2. the remote networks have to be included in the split-tunnel ACL
  3. If AnyConnect and the L2L VPNs terminate on the same interface you also need „same-security-traffic permit intra-interface“

In a regular setup this is all what you need.

Highlighted
Beginner

Re: Allow AnyConnect to access L2L VPN subnets

Here is my running-config

 

ip local pool vpnpool 10.100.21.50-10.100.21.200 mask 255.255.255.0

!

interface Ethernet0/0

nameif outside

security-level 0

ip address XXXXXXX standby XXXXXXX

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.100.20.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

no nameif

no security-level

no ip address

 

 

boot system disk0:/asa917-13-k8.bin

boot system disk0:/asa902-k8.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.1

name-server 8.8.8.8

name-server 4.2.2.2

name-server 8.8.4.4

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

 

 

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 10.100.21.0-24

subnet 10.100.21.0 255.255.255.0

description Anyconnect VPN pool

 

 

access-list SPLIt-ACL standard permit 10.100.20.0 255.255.255.0

access-list SPLIt-ACL standard permit 10.100.21.0 255.255.255.0

nat (inside,outside) source static 10.100.20.0-24 10.100.20.0-24 destination static 10.100.21.0-24 10.100.21.0-24

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 XXXXXXX 1

 

 

crypto ca trustpoint policy

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn CEH-CLE-ASA01

subject-name CN=CEH-CLE-ASA01

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

no anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1 regex "Windows NT"

anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2 regex "Intel Mac OS X"

anyconnect enable

tunnel-group-list enable

cache

  disable

error-recovery disable

ssl-server-check warn-on-failure

group-policy clientgroup internal

group-policy clientgroup attributes

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIt-ACL

 

 

class-map dynamic-filter

match port udp eq domain

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect dns dynamic-filter-snoop

class class-default

  user-statistics accounting

!

service-policy global_policy global

 

Hope this helps