Solved: I still cannot get this work

mlinzbach · ‎06-02-2010

Would like some general guidance in configuring 2 ASAs connected via site-to-site VPN and then have remote AnyConnect client connect to far end site.

Both ASAs are set up for site-to-site VPNs as shown on the attached diagram. Hosts on each LAN segment can ping across the site-to-site tunnel.

One of the ASAs also acts as a terminating endpoint for AnyConnect clients. Remote AnyConnect users can successfully see items on the 192.168.1.X subnet shown on the attached (and items behind the router not shown). Outside interface of the ASAs are the terminating points for all cyrpto.

Where I'm struggling is configuring the ASAs so the Remote AnyConnect users can see the 192.168.2.X network and general guidance is appreciated.

Few things: These IPs are not my production IPs and don't want to include config outputs. No routing other than static routing is configured between ASAs and any layer-3 devices. For those users in the 192.168.1.X subnet their default gateway is configured to be the Router 192.168.1.1. For those users in the 192.168.2.X network their default gateway is configured to be the ASA 192.168.2.1. Attached diagram generally shows how I'm set up and what I'd like to accomplish.

What I'm thinking I need is the following:

Static route on 192.168.2.1 ASA for 192.168.102.0/24 network to ???inside interface of 192.168.1.254???

NAT exemption on both ASAs for the remote user traffic to/from the 192.168.2.X network.

If you can comment, point me to online config examples or comments it would be appreciated.

Marcin Latosiewicz · ‎06-02-2010

I understand that the end goal is for anyconnect users to communicate over IPSec to 192.168.2.0/x subnet?

You will need:

Left hand ASA:

- routing for 102 subnet to outside (default GW IP is fine)

- net exemttion for traffic from .2 subnet to .102

- modify crypto ACLs for this tunnel to reflect traffic going from .2 subnet to .102

Right hand ASA:

- modify crypto ACLS to allow traffic from .102 to .2

- nat exemption for traffic from .102 to .2

That's about it.

edit: Not sure what happened to Federico's post....

One thing he mentioned and I forgot is the same-security-traffic permit intra-interface to allow U-turn.

View solution in original post

Federico Coto Fajardo · ‎06-02-2010

Hi,

If I understand correctly, you need to allow the AnyConnect clients (that connect to the ASA), to communicate across the IPsec tunnel to the other ASA and reach 192.168.2.x

What you should do is in the crypto ACL of the Site-to-Site tunnel include another ACE with the 192.168.102.x (which is the pool of the AnyConnect clients).

Also, on the AnyConnect split-tunneling ACL (if using split-tunneling), include the remote 192.168.2.x network).

Example:

Let';s say this is your ACL for split tunnel for the AnyConnect clients

access-list split permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0

So, you should also include:

access-list split permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0

Let's say that you have this ACL as the crypto ACL for the Site-to-Site tunnel

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

So, add this line:

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0

To allow the ASA to redirect back out the same interface traffic that it receives, you should add

same-security-traffic permit intra-interface

Also, check the NAT configuration to include these networks accordingly.

Hope it makes sense, let's us know any question.

Federico.

View solution in original post

Marcin Latosiewicz · ‎06-02-2010

I understand that the end goal is for anyconnect users to communicate over IPSec to 192.168.2.0/x subnet?

You will need:

Left hand ASA:

- routing for 102 subnet to outside (default GW IP is fine)

- net exemttion for traffic from .2 subnet to .102

- modify crypto ACLs for this tunnel to reflect traffic going from .2 subnet to .102

Right hand ASA:

- modify crypto ACLS to allow traffic from .102 to .2

- nat exemption for traffic from .102 to .2

That's about it.

edit: Not sure what happened to Federico's post....

One thing he mentioned and I forgot is the same-security-traffic permit intra-interface to allow U-turn.

Federico Coto Fajardo · ‎06-02-2010

Hi,

If I understand correctly, you need to allow the AnyConnect clients (that connect to the ASA), to communicate across the IPsec tunnel to the other ASA and reach 192.168.2.x

What you should do is in the crypto ACL of the Site-to-Site tunnel include another ACE with the 192.168.102.x (which is the pool of the AnyConnect clients).

Also, on the AnyConnect split-tunneling ACL (if using split-tunneling), include the remote 192.168.2.x network).

Example:

Let';s say this is your ACL for split tunnel for the AnyConnect clients

access-list split permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0

So, you should also include:

access-list split permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0

Let's say that you have this ACL as the crypto ACL for the Site-to-Site tunnel

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

So, add this line:

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0

To allow the ASA to redirect back out the same interface traffic that it receives, you should add

same-security-traffic permit intra-interface

Also, check the NAT configuration to include these networks accordingly.

Hope it makes sense, let's us know any question.

Federico.

Steven Williams · ‎03-18-2014

I still cannot get this work in my network.

I understand that the end goal is for anyconnect users to communicate over IPSec to 192.168.2.0/x subnet?

You will need:

Left hand ASA:

- routing for 102 subnet to outside (default GW IP is fine)

** Wouldnt this be covered by a default-route?

- net exemttion for traffic from .2 subnet to .102

** What is the source and destination interfaces for this NAT exempt?

- modify crypto ACLs for this tunnel to reflect traffic going from .2 subnet to .102

** So make sure the anyconnect VPN networks are part of the source object group for the crypto?

Right hand ASA: ** I do not own the remote site ASA, no access, so what do I need to tell them to do?

- modify crypto ACLS to allow traffic from .102 to .2

- nat exemption for traffic from .102 to .2

That's about it.

edit: Not sure what happened to Federico's post....

One thing he mentioned and I forgot is the same-security-traffic permit intra-interface to allow U-turn.

mlinzbach · ‎06-02-2010

Thanks Federico and Marcin. Needed the ACLs on the on the crypto, the NAT exemptions, split-tunnelling entry, and same-security-traffic permit intra-interface entry.

Much appreciated.

AnyConnect client to site-to-site destination