We currently have a 5510 located in our datacenter and a number of edge devices (5505 and Checkpoint) at various client sites which have LAN-LAN VPNs back to the 5510 to access services (hub-spoke). We also provide SSL VPN to our 5510 using AnyConnect to access remotely.
We've allowed users the ability to route to their 'home' 5505 ASA through our 5510. Thus when someone logs in to our 5510 at the datacenter they can reach their offices LAN as well over the RA connection (the 5510 routing those packets to the respective 5505).
This all seemed to work fine with our Checkpoints and pre-8.4.4 5505s but for some reason now we cannot get the packets to route from the 5510 to any of the 8.4.4 5505s.
Here is a config from one of the 5505s related to VPN and RA connectivity:
object-group network DATACENTER-NETS
network-object object SERVICES-NET
network-object object RA-NET
access-list SERVICES-VPN-ACL extended permit ip object LOCAL-NET object-group DATACENTER-NETS
crypto map services_map 2 match address SERVICES-VPN-ACL
crypto map services_map 2 set peer 188.8.131.52
crypto map services_map 2 set ikev1 transform-set secondaryset
tunnel-group 184.108.40.206 type ipsec-l2l
tunnel-group 220.127.116.11 ipsec-attributes
ikev1 pre-shared-key *****
Thus when the user logs into our 5510 using AnyConnect they are assigned an IP from the respective pool (RA-NET) which is part of DATACENTER-NETS object group. The users can hit SERVICES-NET just fine (5510) but when they try to get to LOCAL-NET (i.e, clients LAN) it fails.
This all seemed to be working fine (even on our 8.4.1 5505s) until we installed a couple new ASAs w/ 8.4.4
Hello All , My end goal is to get access to a webserver from outside which is hosted on the VM on hyper-vbut the VM in my hyper-v can't ping my DMZ-ASA nor can my DMZ-ASA ping my VM but the hyper-v host can ping the ASA and back.DMZ-ASA has inside in...
Threat Response integrates with Cisco's Web Security Appliance (WSA) to provide visibility into web-bourne threats. By adding a Web Security or SMA Web module to Threat Response, investigators will be able to search for domains, URLs, and file hashes th...
I was helping some friends and they were trying to solve a scalable VPN issues, specially these days with the pandemic situation.
I recommended to implement ASA VPN Load-Balancing.
This will allow to keep 1 FQDN for all RA-VPN users an...
Purpose of this article is to share our experience during that Covid-19 period where we were able to successfully setup a VPN configuration for remote worker using Alcatel 8068S phones with FTD 2110 running 18.104.22.168.I would like to thank all of my colleagu...
For additional advanced ISE related Tips, please visit Advanced ISE tips to make your deployment easier document
Downloadable URL-Redirect ACL with ISE
If you have ever configured central web authentication with ISE you understand that it requires...