cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
891
Views
15
Helpful
13
Replies

AnyConnect configuration

Good day community!

I'm really new with cisco firewalls and I got a project to finish the configuration of a AnyConnect with DOU (Two-factor Autehntication), half of the setup was made for someone who is not longer with the company and I'm kind of lost here. I will try to explain my scenario so you can give me some hints.

 

AnyConnect is already configured and you are able to establish a connection with AnyConnect Secure Client on any PC to the FW.

The setup includes DOU as Two-Factor authentication (Reference)

The other factor is LDAP

 

So this are my problems:

Like I said, you can connect to the VPN and you can reach some of the internal networks and while you are connected to the VPN you dont have internet access.  ---- What do I need to do in order to reach all out internal networks and have internet access?

 

For testing purposes LDAP was configured to our test Active Directory, before rolling this new VPN to production I need to change the setup to our main Active Directory ---- Which section of the config should I change?

 

Thank you in advance for all the suggestions!!!!

Rolando Valenzuela.

 

2 Accepted Solutions

Accepted Solutions

The Internet access depends - do you want them to use their local Internet or the main site Internet connection?

Which networks they can get to at the main office is generally set via an access-list which is referenced by the following commands on the ASA's group policy:

 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value <access-list name>

Which LDAP server you use is generally set via creating an LDAP server (or server group) and referencing it via:

 authentication-server-group <group name>

...in the tunnel-group section.

View solution in original post

pjain2
Cisco Employee
Cisco Employee

Hey Ronaldo,

To be able to access internet after connecting through anyconnect vpn, you have 2 options:

1. Either send all the traffic including the internet traffic through the vpn.

for this you just have to configure dynamic nat for the vpn pool subnet:

object network <name>

subnet <pool subnet> <mask>

nat (outside*,outside*) dynamic interface------>* refers to the interface on which the anyconnect vpn is terminating.

2. Or you can send traffic for your specific internal subnets through the tunnel and the internet traffic will not go through the vpn tunnel:

group-policy <name1> internal

group-policy <name1> attributes

split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split

the access-list for the split-tunnel would be configured as:

access-list split standard permit <subnet> <mask>

Here the <subnet> refers to the internal subnets that you need to access via vpn.

tunnel-group <name> general-attributes

default-group-policy <name1>

View solution in original post

13 Replies 13

Any suggestions?

The Internet access depends - do you want them to use their local Internet or the main site Internet connection?

Which networks they can get to at the main office is generally set via an access-list which is referenced by the following commands on the ASA's group policy:

 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value <access-list name>

Which LDAP server you use is generally set via creating an LDAP server (or server group) and referencing it via:

 authentication-server-group <group name>

...in the tunnel-group section.

Thank you both! At least I know what to look for now!

@Marvin checking the ACL applied to the split-tunnel configuration not it is obvius why is not working, only two subnets were allowed.

ASA01# show run  | i split-tunne
access-list split-tunnel standard permit 10.10.0.0 255.255.0.0
access-list split-tunnel standard permit 10.20.0.0 255.255.0.0
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

 

@pjain2, regarding your second option, if I need a internet service that can only be reached by USA networks (as an example lets say HBOplus) can I include that subnets or FQDN in the ACL and allow that traffic to the corporate link or is all or nothing?

 

I will try to make some adjustments and let you know the results! :D

Thank you!!

Rolando Valenzuela.

 

 

Hey Ronaldo,

Is this what you mean:

you need internet access from 10.10.0./16 and 10.20.0.0/16 i.e. your internal networks?

Regards

No, lets say I travel to Japan and I want to see HBOplus, can I force that particular traffic to uses the VPN (USA IP) and all the rest of the traffic (like facebook, google, bing, outlook, etc etc) dont?

 

Thanks again!

to do that , you need to allow the public ip address of that Website HBOplus in the split tunneling acl on the ASA, only then will that traffic go over the vpn

While pjain2 is technically correctly, in practice HBOplus (and most every every other major streaming service) uses a Content Delivery Network (CDN) to stream their service from many different locations.

The addresses for a given streaming service will change according to where the DNS request comes from geographic location. They will also change over time as the CDN adds or removes nodes.

Valid point Marvin :) but I just said HBOplus to say something familiar for everybody, I couldn't say the name of our internal apps since nobody know them, and for security reason :)

 

FYI - I was able to changed the LDAP authentication :D but for some reason I can connect to the VPN, but I cannot reach any internal network, I just trying to fix that before editing the ACL.

 

Regards.

Rolando Valenzuela.

Hey Ronaldo,

if access to your internal networks is not working through vpn, check if the nat exemption is configured on the ASA for the traffic

 

Regards

awesome catch pjain2!

I enabled source "any" destination "internal_subnets" so far, I will tight up source address later but now it is working.

 

Thank you both for all the help!! I will keep testing today and probably next week to see what doesn't work, but the most critical part is there :D

 

Thanks again!!

Rolando Valenzuela.

Hi guys,

After all your help everything works really fine! :) just one thing! while on the VPN I cannot reach the firewall itself.

 

What I'm doing to hit the firewall while using the VPN is to login to a router and the use the command ssh to connect to the firewall.

 

Thanks again for all the help!

The first two things I would check are:

Have you allowed the VPN pool address range to ssh?

Have you included the ASA interface subnet in your NAT exemption to the VPN pool?

pjain2
Cisco Employee
Cisco Employee

Hey Ronaldo,

To be able to access internet after connecting through anyconnect vpn, you have 2 options:

1. Either send all the traffic including the internet traffic through the vpn.

for this you just have to configure dynamic nat for the vpn pool subnet:

object network <name>

subnet <pool subnet> <mask>

nat (outside*,outside*) dynamic interface------>* refers to the interface on which the anyconnect vpn is terminating.

2. Or you can send traffic for your specific internal subnets through the tunnel and the internet traffic will not go through the vpn tunnel:

group-policy <name1> internal

group-policy <name1> attributes

split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split

the access-list for the split-tunnel would be configured as:

access-list split standard permit <subnet> <mask>

Here the <subnet> refers to the internal subnets that you need to access via vpn.

tunnel-group <name> general-attributes

default-group-policy <name1>