Re: Allow AnyConnect to access L2L VPN subnets

Abhijeet Kumar · ‎11-13-2017

Hi,

I recently configured AnyConnect on ASA 5510, 5512 and 5505 with split-tunneling and it's working great. You can refer to the configuration below:

webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
ssl-server-check warn-on-failure

group-alias sslgroup_users enable

group-policy clientgroup internal
group-policy clientgroup attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIt-ACL

tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes

nat (inside,outside) source static 10.100.20.0-24 10.100.20.0-24 destination static 10.100.21.0-24 10.100.21.0-24

access-list SPLIt-ACL standard permit 10.100.20.0 255.255.255.0
access-list SPLIt-ACL standard permit 10.100.21.0 255.255.255.0

Question: I have multiple L2L VPNs configured on these ASAs. What I want to do is to access the resorces of those of L2L tunnels via Anyconnect. Is this do-able?

Thank you,

Abhi

Flavio Miranda · ‎11-13-2017

Hi @Abhijeet Kumar

I don't see why not. Once the packet gets decrypted and inside Firewall, it could go anywhere, including to another VPN tunnel.

What can prevent this from happen is routing, ACL and NAT.

You can run a packet tracer and simulate that, then, you can see which one from the above is preventing packets to get to the destination.

-If I helped you somehow, please, rate it as useful.-

Abhijeet Kumar · ‎11-13-2017

Thank you for the quick reply but I would really appreciate if you could just guide me through this. Webvpn is pretty new to me and I do not wanna mess the production FW.

Flavio Miranda · ‎11-13-2017

Just run the packet tracer. It does not change anything and will give you a good grasp on where packets stops.

-If I helped you somehow, please, rate it as useful.-

Karsten Iwen · ‎11-13-2017

As mentioned, this is possible. What you need:

the AnyConnect VPN-Pool has to be part of your crypto-ACL.
the remote networks have to be included in the split-tunnel ACL
If AnyConnect and the L2L VPNs terminate on the same interface you also need „same-security-traffic permit intra-interface“

In a regular setup this is all what you need.

Abhijeet Kumar · ‎11-14-2017

Here is my running-config

ip local pool vpnpool 10.100.21.50-10.100.21.200 mask 255.255.255.0

!

interface Ethernet0/0

nameif outside

security-level 0

ip address XXXXXXX standby XXXXXXX

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.100.20.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

no nameif

no security-level

no ip address

boot system disk0:/asa917-13-k8.bin

boot system disk0:/asa902-k8.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.1

name-server 8.8.8.8

name-server 4.2.2.2

name-server 8.8.4.4

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 10.100.21.0-24

subnet 10.100.21.0 255.255.255.0

description Anyconnect VPN pool

access-list SPLIt-ACL standard permit 10.100.20.0 255.255.255.0

access-list SPLIt-ACL standard permit 10.100.21.0 255.255.255.0

nat (inside,outside) source static 10.100.20.0-24 10.100.20.0-24 destination static 10.100.21.0-24 10.100.21.0-24

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 XXXXXXX 1

crypto ca trustpoint policy

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn CEH-CLE-ASA01

subject-name CN=CEH-CLE-ASA01

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

no anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1 regex "Windows NT"

anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2 regex "Intel Mac OS X"

anyconnect enable

tunnel-group-list enable

cache

disable

error-recovery disable

ssl-server-check warn-on-failure

group-policy clientgroup internal

group-policy clientgroup attributes

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIt-ACL

class-map dynamic-filter

match port udp eq domain

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect dns dynamic-filter-snoop

class class-default

user-statistics accounting

!

service-policy global_policy global

Hope this helps