Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
5
Helpful
4
Replies

Anyconnect VPN setup - need help

zoran.milenkovic
Level 1
Level 1

‎02-08-2018 03:08 AM - edited ‎03-12-2019 05:00 AM

Hi

 

I have new box, ASA 5506H, with Security Plus license. Version is 9.8.(1). Something that should be easy setup of remote-access VPN with anyconnect client turned to be not that easy. Please, help!

 

I believe my VPN config is OK, it was built mostly by wizard, but what I don't understand is bridging interfaces into BVI1 interface. I suspect my NAT is not good. Further, I have no experience with FirePower module. I dont know does it interfere here at all? For now I don't need any FirePower functionality, just simple remote access with anyconnect client (SSLVPN or/and IPSEC) and that's all.

 

I can start from my interfaces.

 

Interface GE1/1 is outside and that's fine.

 

Interfaces GE1/2-1/4 are bridged into bridge group 1 and represented by BVI1 interface. But when I want to define NAT rule, then I cannot use BVI1 (which is named inside). I can define nat rules only to physical interface. Why is that?

 

Has anyone a working example config to share here?

 

Thank you!

Labels:
0 Helpful
4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

‎02-08-2018 05:54 AM

BVI is used to configure Bridge Groups in a transparent firewall.
Anyconnect is not supported on ASA in transparent mode.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/intro-fw.html

 

HTH

Bogdan

0 Helpful

zoran.milenkovic
Level 1
Level 1
In response to Bogdan Nita

‎02-08-2018 06:53 AM

Thank you, Bogdane! :)

 

I will delete BVI1 interface and setup nameif Inside on GE1/2.

 

I wasn't sure if I have to have that interface for some reason related to FirePower module. As I said, have no experience with FirePower and not sure how do I mange it!? Currently I could nicely skip over that part.

 

BR Zoran

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to zoran.milenkovic

‎02-09-2018 12:39 AM

Glad I could help Zoran !

If you do not need to bridge between interfaces you can remove the BVI interface and have an IP interface instead, but @willwetherman is wright, since 9.7 you have the possibility to route between a bridge group and a routed interface, so your design with BVI on the inside should work.

 

0 Helpful

willwetherman
Spotlight
Spotlight

‎02-08-2018 06:10 AM

Hi

 

BVIs can be used in both routed and transparent mode so that shouldn't be a restriction.

 

I know that NAT statements can only refer to the interface nameif and not the bridge-group name. As you have to define a separate nameif for each bridge-group member interfaces such as "inside1", "inside2" etc, you will have to create corresponding NAT entries for each which can get messy. An alternate solution is reference all of the inside interfaces using the 'any' keyword. Example below: 

 

nat (any,outside) source static x.x.x.x x.x.x.x destination static x.x.x.x x.x.x.x no-proxy-arp route-lookup

 

I hope that this helps

 

Will

Customers Also Viewed These Support Documents