Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3748
Views
5
Helpful
6
Replies

Cisco AnyConnect access to remote IPsec network

Philip Curwen
Level 1
Level 1

‎09-20-2013 11:56 AM - edited ‎02-21-2020 07:10 PM

Hi All, I'm trying to give my remote AnyConnect users access to a network that is connected via an IPsec tunnel (ASA 5510 IPsec) from our main LAN.. network

AnyConnect VPN user----->ASA 5510 Local-LAN -----> IPsec tunnel to Remote-LAN

AnyConnect user access this --------------------------------------------------------------------------------------> Remote-LAN

AnyConnect ip 192.168.134.0/24

Local-LAN ip 192.168.133.0/24

Remote-LAN ip 192.168.105.0/24

Cheers for any sugestions

ASA has 8.4(4)

Labels:
0 Helpful
6 Replies 6

Tariq Bader
Cisco Employee
Cisco Employee

‎09-20-2013 01:37 PM

So the ipsec remote access vpn is on another asa , right ?
And the hosts behind the first asa are ipsec clients to that asa ?

Please provide your asa configuration


Sent from Cisco Technical Support Android App

0 Helpful

Philip Curwen
Level 1
Level 1
In response to Tariq Bader

‎09-20-2013 01:59 PM

Remote AnyConnect VPN clients connect to ASA 5510 which has an IPsec tunnel to a non-ASA device.

ASA Version 8.4(4)

!

hostname ciscoasa

enable password xxxx encrypted

passwd xxxx encrypted

names

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 72.xx.xx.xx 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.133.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.133.50

host 192.168.133.50

object network obj-192.168.133.0

subnet 192.168.133.0 255.255.255.0

object network INSIDE-HOSTS

subnet 192.168.133.0 255.255.255.0

object network VPN-HOSTS

subnet 192.168.134.0 255.255.255.0

object network obj-192.168.134.0

subnet 192.168.134.0 255.255.255.0

object network IPSEC-HOSTS

subnet 192.168.105.0 255.255.255.0

access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list Split-Tunnel standard permit 192.168.133.0 255.255.255.0

access-list Split-Tunnel standard permit 173.x.x.0 255.255.255.0

access-list outside_cryptomap extended permit ip object INSIDE-HOSTS 192.168.105.0 255.255.255.0

access-list IPS extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool AnyConnect-POOL 192.168.134.100-192.168.134.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static IPSEC-HOSTS IPSEC-HOSTS no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj-192.168.133.50

nat (inside,outside) static interface service tcp 3389 3389

object network obj-192.168.134.0

nat (outside,outside) dynamic interface

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 72.x.x.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP_SRV_GRP protocol ldap

aaa-server LDAP_SRV_GRP (inside) host 192.168.133.50

ldap-base-dn OU="xxxxxxxx",DC="xxxxx",DC="local"

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password xxxxxxxx

ldap-login-dn CN="xxxx",CN="Users",DC="xxxxx",DC="local"

server-type microsoft

user-identity default-domain LOCAL

http server enable

http 192.168.133.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 72.x.x.82

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns 192.168.133.50 192.168.105.50

!

dhcpd address 192.168.133.100-192.168.133.200 inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.5.41.41 source outside prefer

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles AnyConnectProfile disk0:/AnyConnectProfile.xml

anyconnect enable

tunnel-group-list enable

group-policy AnyConnect internal

group-policy AnyConnect attributes

dns-server value 192.168.x.x

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-Tunnel

default-domain none

webvpn

  url-list none

  anyconnect modules value vpngina

  anyconnect profiles value AnyConnectProfile type user

  anyconnect ask enable

username AnyConnect1 password xxxxx encrypted

username AnyConnect1 attributes

vpn-group-policy AnyConnect

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool AnyConnect-POOL

authentication-server-group LDAP_SRV_GRP

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

group-url https://xxxxxxx/ enable

tunnel-group 72.x.x.82 type ipsec-l2l

tunnel-group 72.x.x.82 ipsec-attributes

ikev1 pre-shared-key xxxxxxx

!

class-map IPS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class IPS

  ips promiscuous fail-open

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:dc2b3adda31cfcb5c35c22c6b9d475c3

: end

0 Helpful

Tariq Bader
Cisco Employee
Cisco Employee

‎09-20-2013 02:08 PM

Yes do the following:
1. Add the ipsec remote network to the split tunneling access list
2. Add a new self translation manual nat with outside as the ingress and egress interface with remote access lan as source and anyconnect pool as destination
3. Add the following command to permit u turn traffic
same-security-traffic permit intra interface




Sent from Cisco Technical Support Android App

Philip Curwen
Level 1
Level 1
In response to Tariq Bader

‎09-22-2013 04:33 PM

Hi I added this:

1. access-list Split-Tunnel standard permit 192.168.105.0 255.255.255.0

2. nat (outside,outside) source static IPSEC-HOSTS IPSEC-HOSTS destination static VPN-HOSTS VPN-HOSTS

3. same-security-traffic permit intra-interface

IPSEC-HOSTS are the remote network

VPN-HOSTS is the anyconnect pool

Still not able to ping..Is my nat ok?

0 Helpful

thomas.busse
Level 1
Level 1
In response to Philip Curwen

‎09-24-2013 02:41 AM

Hi Philip,

does your remote LAN have a route for the AnyConnect IP Pool pointing to your ASA 5510 ? And is it part of your crypto ACL?

regards,

Thomas

0 Helpful

Philip Curwen
Level 1
Level 1
In response to thomas.busse

‎09-24-2013 04:16 AM

No..Would I use the inside interface(of the Cisco) for the gateway on the remote router (non Cisco) what would I use for the crytp ACL?

Thanks'

0 Helpful
Customers Also Viewed These Support Documents