Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
30
Helpful
3
Replies

AnyConnect Question

Go to solution
benolyndav
Level 4
Level 4

‎02-02-2022 06:13 AM

Hi

Just presently setting up AnyConnect on our FTD I'm using a IP Pool on the FTD for the clients but would like to know a couple of things.

1. the default route for this FTD is pointing out the Internet Interface is there anyway I can force AnyConnect clients to not use this as their default route. but point then somwhere else for default routing.??

2. alos I have noticed that when I test I get the first address in the range .1 is this ok

3.I'm considering using DHCP scope on our Servers but these reside in another part of the network, there is a route to the servers fromthe FTD, if they were assigned a DHCP address would they just use the FTD as their gateway and then follow the FTD routing table. not sure wher the GW would be.??

 

Thanks

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-02-2022 06:20 AM - edited ‎02-02-2022 06:32 AM

@benolyndav You can create another route with the keyword "tunneled" appended, this means that VPN traffic can be sent to another next hop (instead of being hairpinned back out the outside interface) and routed from there. Example: "route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled"

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ret-rz-commands.html#wp1781820814

 

Yes you can use the first IP address in the pool, there is no SVI like on a switch, traffic is tunneled to the ASA.

 

You need to use the command "dhcp-network-scope", configured under the group-policy.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/m_dh-dm.html#wp9331797440

 

 

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-02-2022 06:18 AM

1. the default route for this FTD is pointing out the Internet Interface is there anyway I can force AnyConnect clients to not use this as their default route. but point then somwhere else for default routing.??

 

BB - yes you route to different, make sure that route is reachable and aware.

 

2. alos I have noticed that when I test I get the first address in the range .1 is this ok

 

BB - yes you can use, but make sure gateway is used end of subnet or intial one

 

3.I'm considering using DHCP scope on our Servers but these reside in another part of the network, there is a route to the servers fromthe FTD, if they were assigned a DHCP address would they just use the FTD as their gateway and then follow the FTD routing table. not sure wher the GW would be.??

 

BB - this bit tricky,  Servers always using static Address that is prefered, if the gateway is FTD is possible (again based on the requirement) and network design.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎02-02-2022 06:20 AM - edited ‎02-02-2022 06:32 AM

@benolyndav You can create another route with the keyword "tunneled" appended, this means that VPN traffic can be sent to another next hop (instead of being hairpinned back out the outside interface) and routed from there. Example: "route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled"

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ret-rz-commands.html#wp1781820814

 

Yes you can use the first IP address in the pool, there is no SVI like on a switch, traffic is tunneled to the ASA.

 

You need to use the command "dhcp-network-scope", configured under the group-policy.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/m_dh-dm.html#wp9331797440

 

 

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎02-03-2022 10:28 AM

worked Rob thanks saved me an headache or two

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents