Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
2
Helpful
2
Replies

AnyConnect VPN - External client cannot access my internal network

Jalmeida
Level 1
Level 1

‎10-02-2024 04:31 AM - edited ‎10-02-2024 04:38 AM

Dear all, I am new to security issues and I have a complicated scenario.

I changed the IP addresses so as not to expose the network, but the scenario is complete.

I have 2 branches in Brazil that communicate via LAN-to-LAN.

Wherever I close the VPN (AnyConnect) here in Brazil, I can access my internal network normally (122.122.122.122).

However, in this same scenario I have a closed IPsec tunnel with the peer in Colombia (133.133.133.2), the tunnel is working without problems.

However, the client in Colombia cannot access the addresses on my internal network.

Jalmeida_0-1727868300775.png

 

 

I have already checked all the network configurations, and even so, since it was working and we did not change anything on our side, I do not know how to help. I did not want to create separate ACLs.

1 - Because it is an AnyConnect from another location, the user did not appear in the results of my "show vpn-sessiondb anyconnect".
But I did not find any errors, and all the addresses from Colombia are specified in my firewall and in crypto isakpm sa. The only difference is that the Anyconnect there has the peer address as 133.133.133.1 and the mask it received the IP from is 111.111.111.x 255.255.252.0 and in crypto and in my firewall rules they are 111.111.111.0 255.255.248.0, but I understand that it is included.

I will share the summarized configurations and those of you who have experience here in the community, do you think you can help me by observing?

Jalmeida_1-1727868573535.png

Config Brazil 1 Inside

Jalmeida_0-1727868721628.png

Config Brazil 1 Colombia Router 

Jalmeida_1-1727868856513.png

 

 

 

 

 

 

 

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎10-02-2024 04:39 AM

Add anyconnect vpn pool to the ACL of VPN

Add new NAT (out'out) for no-NAT anyconnect pool when try to connect to remote peer internal LAN

That what you need 

MHM

Jalmeida
Level 1
Level 1
In response to MHM Cisco World

‎10-02-2024 08:06 AM

Thank you for your quick response.
I'll do some research, since the environment is in production, I don't know if this configuration will have any impact.
I'll build the lines and apply them at some point. Do you have an example with the IPs I mentioned?

For example, 111.111.111.x needs to access my local network 122.122.122.x. What would be the correct rules in the ACL?
Thank you very much!

Customers Also Viewed These Support Documents