Re: Cisco ASA AnyConnect behind another firewall

wayne loh · ‎03-07-2021

Hi All,

Would like some configuration guide on the attached setup for the cisco asa anyconnect behind another firewall. The perimeter firewall will have public IP address natted to the cisco asa interface (using private ip address). However, in this case of the cisco asa interface, should it be outside or inside interface that requires to configure? How about the NAT exempted setup for cisco anyconnect?

Many Thanks.

balaji.bandi · ‎03-07-2021

ASA remote access SSL VPN when the ASA outside interface is behind another ASA firewall that is NAT'd the address. As long as the second firewall is allowing TCP/443 (SSL it should work as expected.

Interenet -- ASA (external)----Outside(ASA - remote VPN)

IPsec VPN a few more ports are required (udp/500 and 4500 typically).

https://www.petenetlive.com/KB/Article/0001428

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

wayne loh · ‎03-07-2021

Hi,

How about can i configure inside interface as VPN interface access instead because of the current VPN concentrator(other product) using the internal interface.

Thanks.

wayne loh · ‎03-07-2021

How about the NAT exempted configuration?

Rob Ingram · ‎03-07-2021

@wayne loh You have to terminate the VPN on the interface traffic is coming in on, regardless of it's actual name. Usually it's the outside interface.

You only need NAT exemption if you have other NAT rules that might unintentially NAT the traffic. So if you have other NAT rules, then yes you need NAT exemption rules. Provide your configuration if unsure.

From your diagram your intention is to use one interface on the ASA and route traffic to the internal network back via the same interface?

If you are intending to use SSL-VPN then on the upstream firewall, also permit DTLS (udp/443).

Peter Koltl · ‎03-09-2021

TCP/443 and UDP/443 should be opened on external firewall.

Just call the interface outside and do not use any NAT rules.

Arun2022 · ‎08-30-2022

Hi Experts,

I have a scenario where External-ASA does a translation and the Internal-ASA acts as the AnyConnect gateway.
We can establish AnyConnect on the Internal-ASA successfully. My issue is with reachability to resources.
The "outside" interface of the VPN gateway needs to access other resources within the same network like the "VPC" in the diagram.
The resources in the inside of the VPN gateway are reachable from the AnyConnect client.

I can reach the "Internal_VPC(172.20.10.10)" host when connected to AnyConnect.

I cannot reach "VPC(10.187.26.150)" host when connected to AnyConnect.

Attached diagram and configurations of External-ASA & Internal-ASA

Peter Koltl · ‎09-19-2022

Outside-to-outside static (identity) NAT is unnecessary. In fact, you could use a dynamic PAT for pool addresses.

Don't use outside_ACL_out (egress direction), use outside_ACL_in to filter RAVPN traffic.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

https://networklessons.com/cisco/asa-firewall/cisco-asa-hairpin-remote-vpn-users