09-01-2015 04:27 PM - edited 02-21-2020 08:26 PM
Good day community!
I'm really new with cisco firewalls and I got a project to finish the configuration of a AnyConnect with DOU (Two-factor Autehntication), half of the setup was made for someone who is not longer with the company and I'm kind of lost here. I will try to explain my scenario so you can give me some hints.
AnyConnect is already configured and you are able to establish a connection with AnyConnect Secure Client on any PC to the FW.
The setup includes DOU as Two-Factor authentication (Reference)
The other factor is LDAP
So this are my problems:
Like I said, you can connect to the VPN and you can reach some of the internal networks and while you are connected to the VPN you dont have internet access. ---- What do I need to do in order to reach all out internal networks and have internet access?
For testing purposes LDAP was configured to our test Active Directory, before rolling this new VPN to production I need to change the setup to our main Active Directory ---- Which section of the config should I change?
Thank you in advance for all the suggestions!!!!
Rolando Valenzuela.
Solved! Go to Solution.
09-02-2015 05:26 PM
The Internet access depends - do you want them to use their local Internet or the main site Internet connection?
Which networks they can get to at the main office is generally set via an access-list which is referenced by the following commands on the ASA's group policy:
split-tunnel-policy tunnelspecified split-tunnel-network-list value <access-list name>
Which LDAP server you use is generally set via creating an LDAP server (or server group) and referencing it via:
authentication-server-group <group name>
...in the tunnel-group section.
09-02-2015 10:01 PM
Hey Ronaldo,
To be able to access internet after connecting through anyconnect vpn, you have 2 options:
1. Either send all the traffic including the internet traffic through the vpn.
for this you just have to configure dynamic nat for the vpn pool subnet:
object network <name>
subnet <pool subnet> <mask>
nat (outside*,outside*) dynamic interface------>* refers to the interface on which the anyconnect vpn is terminating.
2. Or you can send traffic for your specific internal subnets through the tunnel and the internet traffic will not go through the vpn tunnel:
group-policy <name1> internal
group-policy <name1> attributes
split-tunnel-policy tunnelspecified split-tunnel-network-list value split
the access-list for the split-tunnel would be configured as:
access-list split standard permit <subnet> <mask>
Here the <subnet> refers to the internal subnets that you need to access via vpn.
tunnel-group <name> general-attributes
default-group-policy <name1>
09-02-2015 02:40 PM
Any suggestions?
09-02-2015 05:26 PM
The Internet access depends - do you want them to use their local Internet or the main site Internet connection?
Which networks they can get to at the main office is generally set via an access-list which is referenced by the following commands on the ASA's group policy:
split-tunnel-policy tunnelspecified split-tunnel-network-list value <access-list name>
Which LDAP server you use is generally set via creating an LDAP server (or server group) and referencing it via:
authentication-server-group <group name>
...in the tunnel-group section.
09-03-2015 07:23 AM
Thank you both! At least I know what to look for now!
@Marvin checking the ACL applied to the split-tunnel configuration not it is obvius why is not working, only two subnets were allowed.
ASA01# show run | i split-tunne access-list split-tunnel standard permit 10.10.0.0 255.255.0.0 access-list split-tunnel standard permit 10.20.0.0 255.255.0.0 split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel
@pjain2, regarding your second option, if I need a internet service that can only be reached by USA networks (as an example lets say HBOplus) can I include that subnets or FQDN in the ACL and allow that traffic to the corporate link or is all or nothing?
I will try to make some adjustments and let you know the results! :D
Thank you!!
Rolando Valenzuela.
09-03-2015 08:45 AM
Hey Ronaldo,
Is this what you mean:
you need internet access from 10.10.0./16 and 10.20.0.0/16 i.e. your internal networks?
Regards
09-03-2015 09:00 AM
No, lets say I travel to Japan and I want to see HBOplus, can I force that particular traffic to uses the VPN (USA IP) and all the rest of the traffic (like facebook, google, bing, outlook, etc etc) dont?
Thanks again!
09-03-2015 10:11 AM
to do that , you need to allow the public ip address of that Website HBOplus in the split tunneling acl on the ASA, only then will that traffic go over the vpn
09-03-2015 10:21 AM
While pjain2 is technically correctly, in practice HBOplus (and most every every other major streaming service) uses a Content Delivery Network (CDN) to stream their service from many different locations.
The addresses for a given streaming service will change according to where the DNS request comes from geographic location. They will also change over time as the CDN adds or removes nodes.
09-03-2015 01:00 PM
Valid point Marvin :) but I just said HBOplus to say something familiar for everybody, I couldn't say the name of our internal apps since nobody know them, and for security reason :)
FYI - I was able to changed the LDAP authentication :D but for some reason I can connect to the VPN, but I cannot reach any internal network, I just trying to fix that before editing the ACL.
Regards.
Rolando Valenzuela.
09-03-2015 05:55 PM
Hey Ronaldo,
if access to your internal networks is not working through vpn, check if the nat exemption is configured on the ASA for the traffic
Regards
09-04-2015 08:42 AM
awesome catch pjain2!
I enabled source "any" destination "internal_subnets" so far, I will tight up source address later but now it is working.
Thank you both for all the help!! I will keep testing today and probably next week to see what doesn't work, but the most critical part is there :D
Thanks again!!
Rolando Valenzuela.
09-08-2015 02:47 PM
Hi guys,
After all your help everything works really fine! :) just one thing! while on the VPN I cannot reach the firewall itself.
What I'm doing to hit the firewall while using the VPN is to login to a router and the use the command ssh to connect to the firewall.
Thanks again for all the help!
09-08-2015 04:34 PM
The first two things I would check are:
Have you allowed the VPN pool address range to ssh?
Have you included the ASA interface subnet in your NAT exemption to the VPN pool?
09-02-2015 10:01 PM
Hey Ronaldo,
To be able to access internet after connecting through anyconnect vpn, you have 2 options:
1. Either send all the traffic including the internet traffic through the vpn.
for this you just have to configure dynamic nat for the vpn pool subnet:
object network <name>
subnet <pool subnet> <mask>
nat (outside*,outside*) dynamic interface------>* refers to the interface on which the anyconnect vpn is terminating.
2. Or you can send traffic for your specific internal subnets through the tunnel and the internet traffic will not go through the vpn tunnel:
group-policy <name1> internal
group-policy <name1> attributes
split-tunnel-policy tunnelspecified split-tunnel-network-list value split
the access-list for the split-tunnel would be configured as:
access-list split standard permit <subnet> <mask>
Here the <subnet> refers to the internal subnets that you need to access via vpn.
tunnel-group <name> general-attributes
default-group-policy <name1>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide