We currently have a 5510 located in our datacenter and a number of edge devices (5505 and Checkpoint) at various client sites which have LAN-LAN VPNs back to the 5510 to access services (hub-spoke). We also provide SSL VPN to our 5510 using AnyConnect to access remotely.
We've allowed users the ability to route to their 'home' 5505 ASA through our 5510. Thus when someone logs in to our 5510 at the datacenter they can reach their offices LAN as well over the RA connection (the 5510 routing those packets to the respective 5505).
This all seemed to work fine with our Checkpoints and pre-8.4.4 5505s but for some reason now we cannot get the packets to route from the 5510 to any of the 8.4.4 5505s.
Here is a config from one of the 5505s related to VPN and RA connectivity:
object-group network DATACENTER-NETS
network-object object SERVICES-NET
network-object object RA-NET
access-list SERVICES-VPN-ACL extended permit ip object LOCAL-NET object-group DATACENTER-NETS
crypto map services_map 2 match address SERVICES-VPN-ACL
crypto map services_map 2 set peer 126.96.36.199
crypto map services_map 2 set ikev1 transform-set secondaryset
tunnel-group 188.8.131.52 type ipsec-l2l
tunnel-group 184.108.40.206 ipsec-attributes
ikev1 pre-shared-key *****
Thus when the user logs into our 5510 using AnyConnect they are assigned an IP from the respective pool (RA-NET) which is part of DATACENTER-NETS object group. The users can hit SERVICES-NET just fine (5510) but when they try to get to LOCAL-NET (i.e, clients LAN) it fails.
This all seemed to be working fine (even on our 8.4.1 5505s) until we installed a couple new ASAs w/ 8.4.4
This article is intended to be a simple example of configuring AnyConnect relevant syslog messages to be sent from the ASA to a Syslog server. The syslog server in this example is Spunk but almost any syslog server should be do the job. The ...
NGFW Spring 2020 Releases
It’s official! FTD 6.6, ASA 9.14.1, and FXOS 2.8 have been released. We want to thank the hundreds of team members for the tens of thousands of man-hours dedicated to driving this critical release over the finish line. 120...
Hi,I was trying to 2fa cisco duo , all the required settings done as per below . The problem is duo cloud does nti not getting any request from the asa . So I am not getting any code from the duo https://www.youtube.com/watch?v=6nEvmc8wji...
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
To participate in this event, please use the button to ask your questions
Here’s your ch...
User Experience Enhancements
As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
Early Access introduces a...