Cisco ASA SSL-VPN clients must reach hosts behind second Cisco ASA

manoman · ‎11-14-2022

I am trying to setup a quite unusual VPN configuration. For me anyway.
I thought it would be easy, and maybe it is, but I am not able to get things running the way I want.

This is my goal:
I have two ASA 5515x firewalls, #1 and #2. I want to setup SSL client VPN on #1 and I want the VPN users to be able to reach servers behind #2. The servers are located on two VLANs behind #2, 801 & 802.

This is the result so far:
VPN clients are able to ping the hosts on vlans 801 & 802 behind ASA #2, but they cannot connect to them using SSH or RDP.

Relevant conf for ASA #1:

interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
 no shutdown
!
interface GigabitEthernet0/2.801
 vlan 801
 nameif vlan801
 security-level 50
 ip address 192.168.15.5 255.255.255.0
!
interface GigabitEthernet0/2.802
 vlan 802
 nameif vlan802
 security-level 50
 ip address 192.168.16.5 255.255.255.0

object network net_vpnclients
 subnet 10.10.10.0 255.255.255.0
 
object network net_vlan801
 subnet 192.168.15.0 255.255.255.0
object network net_vlan802
 subnet 192.168.16.0 255.255.255.0
 
ip local pool vpn_pool 10.10.10.32-10.10.10.63 mask 255.255.255.0


access-list splitTunnelAcl standard permit 192.168.15.0 255.255.255.0 
access-list splitTunnelAcl standard permit 192.168.16.0 255.255.255.0 

nat (vlan801,outside) source static net_vlan801 net_vlan801 destination static net_vpnclients net_vpnclients
nat (vlan802,outside) source static net_vlan802 net_vlan802 destination static net_vpnclients net_vpnclients


group-policy GroupPolicy_vpn internal
group-policy GroupPolicy_vpn attributes
 wins-server none
 vpn-idle-timeout 1200
 vpn-session-timeout none
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitTunnelAcl
 address-pools value vpn_pool
 
tunnel-group vpn_profile type remote-access
tunnel-group vpn_profile general-attributes
 address-pool vpn_pool
 default-group-policy GroupPolicy_vpn
tunnel-group vpn_profile webvpn-attributes
 group-alias Profile10 enable

Relevant conf for ASA #2:

interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
 no shutdown
!
interface GigabitEthernet0/2.801
 vlan 801
 nameif vlan801
 security-level 50
 ip address 192.168.15.1 255.255.255.0
!
interface GigabitEthernet0/2.802
 vlan 802
 nameif vlan802
 security-level 50
 ip address 192.168.16.1 255.255.255.0
 
 object network host1
 host 192.168.15.150
object network host2
 host 192.168.16.150

object network net_vpnclients
 subnet 10.10.10.0 255.255.255.0
 
object network net_vlan801
 subnet 192.168.15.0 255.255.255.0
object network net_vlan802
 subnet 192.168.16.0 255.255.255.0
 
object-group network all_internal_networks
 network-object object net_vlan801
 network-object object net_vlan802
 

route vlan801 10.10.10.0 255.255.255.0 192.168.15.5 1


access-list acl_vlan801 extended permit ip any object net_vpnclients log disable 
access-list acl_vlan801 extended deny ip any object-group all_internal_networks 
access-list acl_vlan801 extended permit ip any any 

access-list acl_vlan802 extended permit ip any object net_vpnclients log disable 
access-list acl_vlan802 extended deny ip any object-group all_internal_networks 
access-list acl_vlan802 extended permit ip any any 

access-group acl_vlan801 in interface vlan801
access-group acl_vlan802 in interface vlan802

Without the route in ASA #2 I cannot ping the hosts.
And I don't know if the ACL for VPN clients acutally helps...

What am I missing?

Rob Ingram · ‎11-14-2022

@manoman How are these firewalls connected, one in front of the other or in parallel?

Provide a diagram

What's the point of the first firewall?

What device is the default gateway of the servers?

manoman · ‎11-14-2022

Hello @Rob

They are not in front of each other. They are side by side and handling different external IP addresses and different internal vlans (two different customers with their own quite normal setup with NAT:ed hosts etc). vlans 801 & 802 are only added to ASA #1 to be able to communicate on these vlans which until now only existed behind ASA #2.

ASA #2 is the gateway for the servers.

Hope this helps...

/M

Rob Ingram · ‎11-14-2022

@manoman so the clients would route traffic destined for ASA #1 via ASA#2, that's not a good idea.

Create a different routed link/VLAN between the ASAs and the switch, let the switch do the routing to ASA#1 with a static route for the VPN IP pool and other traffic would be routed via ASA #2.

MHM Cisco World · ‎11-14-2022

Anyconnect-outside-ASA1-inside-outside-ASA2-inside

between ASA1 and ASA2 you need to config different vlan
in ASA1 config static route for server vlan toward the outside of ASA2
in ASA2 config static route for anyconnect pool toward the inside of ASA1
in ASA2 you must allow anyconnect pool via ACL to IN to ASA2 (config ACL direction IN in outside of ASA2).

manoman · ‎11-15-2022

Ok, I understand the difference. What would these routes and ACLs look like? Like below?

On ASA #1:
route outside 192.168.15.0 255.255.255.0 OUTSIDE_IP_ASA_2 1
route outside 192.168.16.0 255.255.255.0 OUTSIDE_IP_ASA_2 1


On ASA #2:
route vlan801 10.10.10.0 255.255.255.0 192.168.15.5 1

access-list outside_access_in extended permit tcp object net_vpnclients object host1 eq ssh
access-list outside_access_in extended permit tcp object net_vpnclients object host2 eq ssh

Or maybe I can get the desired behaviour by using an IPSec-tunnel with hair pinning between my two ASAs? Maybe overkill when the ASAs stand next to each other.

manoman · ‎11-16-2022

I solved this for now by setting up an IPSec tunnel and hair pinning. Works the way I wanted. Will have to test the other solution again when I have the time. Thanks everyone.