Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
973
Views
15
Helpful
6
Replies

Anyconnect question

Go to solution
benolyndav
Level 4
Level 4

‎12-01-2021 11:08 AM

Hi

If I am setting up anyconnect I'm assuming that I will need an interface on our Fireweall that is directly connected to the Lan, I am wanting to use a subnet where the GW is on our distribution switch but our firewall as multiple sub-interfaces but none of them are part of the inside lan networks .??

 

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-01-2021 12:53 PM

Hi @benolyndav what is your other problem exactly? Do you not want the anyconnect users to use the ASA as the default route for internet traffic? Options could be split tunnel the traffic and only tunnel traffic via the VPN destined to the corporate network or you can route all anyconnect user traffic to the core using a "tunneled default route".

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

 

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎12-01-2021 11:25 AM

@benolyndav Not sure I fully understand. The ASA doesn't need an interface directly connected to the LAN, you can have a dedicated /29 or /30 network for the ASAs inside interface, just define routes for the inside networks. As far as the AnyConnect VPN pool IP addressing, you just need to ensure the internal LAN has a route via the ASA to communicate with the RAVPN users.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-01-2021 12:12 PM

Hi Rob

ok thanks for that, we do actually have an interface that as routes to all the iside networks so I could use ip pools for the anycinnect clients and allow them to any using this interface so they would get access to coporate services, I would also need a route pointing to the firewall for the anyconnect ip pool, ? it gets s bit confusing when thinking about default gateway.??

 

Thanks

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-01-2021 12:20 PM

@benolyndav Well you would need a route on the core switch pointing to the ASA for the AnyConnect VPN IP pool if the default route on the core is not the RAVPN ASA, in which case you'd not need specific static routes - the default route would suffice. In some instances customers have a dedicated RAVPN concentrator and internet traffic goes out another firewall, in this instance specific routes for the VPN IP pool via the RAVPN concentrator would be required.

 

As far as the clients are concerned they will route all traffic from the ASA to the inside network, the clients rely on the ASA's routing table to route the traffic accordingly.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-01-2021 12:43 PM

Hi Rob

Yes understood and would need a static route from Core to ASA AnyConnect IP pool as default route on core points across a private wan for coporate staff Internet access, so may have another problem here too as the ASA as a default route of its own pointing to its Outside network to provide Internet access for guest Networks.

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-01-2021 12:53 PM

Hi @benolyndav what is your other problem exactly? Do you not want the anyconnect users to use the ASA as the default route for internet traffic? Options could be split tunnel the traffic and only tunnel traffic via the VPN destined to the corporate network or you can route all anyconnect user traffic to the core using a "tunneled default route".

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

 

Go to solution
MHM Cisco World
VIP
VIP

‎12-01-2021 01:40 PM

follow

0 Helpful
Customers Also Viewed These Support Documents