cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
660
Views
0
Helpful
9
Replies
Highlighted
Beginner

Allow AnyConnect to access L2L VPN subnets

Hi,

I recently configured AnyConnect on ASA 5510, 5512 and 5505 with split-tunneling and it's working great. You can refer to the configuration below:

webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
ssl-server-check warn-on-failure

group-alias sslgroup_users enable

group-policy clientgroup internal
group-policy clientgroup attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIt-ACL

tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes

nat (inside,outside) source static 10.100.20.0-24 10.100.20.0-24 destination static 10.100.21.0-24 10.100.21.0-24

access-list SPLIt-ACL standard permit 10.100.20.0 255.255.255.0
access-list SPLIt-ACL standard permit 10.100.21.0 255.255.255.0

Question: I have multiple L2L VPNs configured on these ASAs. What I want to do is to access the resorces of those of L2L tunnels via Anyconnect. Is this do-able?

Thank you,

Abhi

Everyone's tags (7)
9 REPLIES 9
Highlighted
Cisco Employee

Re: Allow AnyConnect to access L2L VPN subnets

Hello,

Is the VPNPool part of the network assigned to the Inside Interface ?

Are the destination networks on the L2L's part of the tunnel Exclude ACL ?

If the tunneling and routing in place it should work but seeing only the partial configuration and not knowing more about the topology - I cant say for sure yet.

Best regards,

Paul

Highlighted
VIP Advocate

Re: Allow AnyConnect to access L2L VPN subnets

To add to Paul's response, "same-security-traffic permit intra-interface" also needs to be added to allow Anyconnect traffic to u-turn on the outside interface into the L2L tunnel.

Highlighted
Beginner

Re: Allow AnyConnect to access L2L VPN subnets

It's allowed\, please check running-config and let me know if any issues.

Highlighted
Beginner

Re: Allow AnyConnect to access L2L VPN subnets

Is the VPNPool part of the network assigned to the Inside Interface ?

No, it's a totally different subnet as you generally create in Anyconnect VPN pools

I haven't created any rule as such

If the tunneling and routing in place it should work but seeing only the partial configuration and not knowing more about the topology - I cant say for sure yet.

Please check the running config, hope it helps.

Highlighted
Contributor

Re: Allow AnyConnect to access L2L VPN subnets

There’s not enough configuration here to provide you a detailed response to meet the behavior you are looking for.

Beginner

Re: Allow AnyConnect to access L2L VPN subnets

I added running-config specific to webvpn

Highlighted
Beginner

Re: Allow AnyConnect to access L2L VPN subnets

Here is my running-config

ip local pool vpnpool 10.100.21.50-10.100.21.200 mask 255.255.255.0

!

interface Ethernet0/0

nameif outside

security-level 0

ip address XXXXXXX standby XXXXXXX

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.100.20.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

no nameif

no security-level

no ip address

boot system disk0:/asa917-13-k8.bin

boot system disk0:/asa902-k8.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.1

name-server 8.8.8.8

name-server 4.2.2.2

name-server 8.8.4.4

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 10.100.21.0-24

subnet 10.100.21.0 255.255.255.0

description Anyconnect VPN pool

access-list SPLIt-ACL standard permit 10.100.20.0 255.255.255.0

access-list SPLIt-ACL standard permit 10.100.21.0 255.255.255.0

nat (inside,outside) source static 10.100.20.0-24 10.100.20.0-24 destination static 10.100.21.0-24 10.100.21.0-24

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 XXXXXXX 1

crypto ca trustpoint policy

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn CEH-CLE-ASA01

subject-name CN=CEH-CLE-ASA01

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

no anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1 regex "Windows NT"

anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2 regex "Intel Mac OS X"

anyconnect enable

tunnel-group-list enable

cache

  disable

error-recovery disable

ssl-server-check warn-on-failure

group-policy clientgroup internal

group-policy clientgroup attributes

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIt-ACL

class-map dynamic-filter

match port udp eq domain

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect dns dynamic-filter-snoop

class class-default

  user-statistics accounting

!

service-policy global_policy global

Hope this helps

Highlighted
Contributor

Re: Allow AnyConnect to access L2L VPN subnets

The L2L tunnel configuration is missing as well as the ip local pool configuration.  It's hard to follow the flow without more information.

Highlighted
Cisco Employee

Re: Allow AnyConnect to access L2L VPN subnets

For troubleshooting routing and NAT issues, I would suggest Packet-Tracer Demo on Cisco ASA - YouTube