02-25-2015 01:57 PM - edited 02-21-2020 08:06 PM
object network Network-HQ subnet 10.0.0.0 255.255.0.0 object network Network-Site1 subnet 10.1.0.0 255.255.0.0 object network Network-Site2 subnet 10.2.0.0 255.255.0.0 object network Network-Site3 subnet 10.3.0.0 255.255.0.0 object network Network-AnyCon subnet 10.100.0.0 255.255.0.0 object-group network REMOTE_NETWORK network-object object Network-Site1 network-object object Network-Site2 network-object object Network-Site3 network-object object Network-AnyCon object-group network LOCAL_NETWORK network-object object NETWORK-HQ nat (inside,outside) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK nat (outside,outside) source static REMOTE_NETWORK REMOTE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK same-security-traffic permit intra-interface
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object-group LOCAL_NETWORK object-group REMOTE_NETWORK access-list outside_access_in extended permit ip object-group REMOTE_NETWORK object-group REMOTE_NETWORK access-list outside_access_in extended permit ip object-group REMOTE_NETWORK object-group LOCAL_NETWORK
02-26-2015 11:12 AM
Please remove this object from REMOTE_NETWORK
object-group network REMOTE_NETWORK
no network-object object Network-AnyCon
Lets say this: 10.1.0.10 is permitted to access via the tunnels to all remote-LANs via site-to-site tunnels.
Lets create a dynamic-nat, so that your remote-in clients can access remote-lans as if they are coming from HQ directly.
object network HQ-UNUSED-IP
description: this is permited to traves to remote all sites
network-object host 10.1.0.10
nat (outside,outside) source dynamic Network-AnyCon HQ-UNUSED-IP destination static REMOTE_NETWORK REMOTE_NETWORK
Please remove these below lines, because tunnel bound traffic does not go via the acl filters put on outside interface.
no access-list outside_access_in extended permit ip object-group LOCAL_NETWORK object-group REMOTE_NETWORK
no access-list outside_access_in extended permit ip object-group REMOTE_NETWORK object-group REMOTE_NETWORK
no access-list outside_access_in extended permit ip object-group REMOTE_NETWORK object-group LOCAL_NETWORK
Hope this helps.
Thanks
Rizwan Rafeek
02-26-2015 01:24 PM
Thank you for your reply, Though I'm confused why I would need to use a HQ-UNUSED-IP for the NAT? Why can I not use the original Source IP, they are all 10.x.x.x addresses.
I would like Remote Site A to Talk to Remote Site B and AnyConnect Client to Talk to Either Site A or Site B (as well as HQ) that's why I though these were what I needed, any think local to remote and anything remote to anything remote.
nat (inside,outside) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK nat (outside,outside) source static REMOTE_NETWORK REMOTE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
02-26-2015 07:38 PM
If your remote tunnel administrators willing to add your AnyConnect pool range into permit line (i.e. in the crytop ACL at their end) to traverse via the tunnel, then you won't need a dynamic nat.
In which case you need is nat exemption to outside to outside, for AnyConnect accessing remote-LANs, similarly for Remote-LAN accessing another Remote-LAN and then again you need to inform remote tunnel administrators to permit other remote-LANs along with your AnyConnect subnet range to be permitted in the crypto ACL and set for them nat-exemption as well.
Hope that answers your question.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide