Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2053
Views
0
Helpful
2
Replies

Configure Cisco VPN client to pass through site to site VPN (GUI)

Go to solution
esuturie
Level 1
Level 1

‎06-19-2014 08:48 AM

Hi, 

 

I must say hat's off to the channel and the answers i've seen to achieve this have been great..

 

https://supportforums.cisco.com/discussion/12234631/cisco-asa-5505-vpn-passthrough 

and 

https://supportforums.cisco.com/document/12191196/anyconnect-client-site-site-destination 

 

My question though is "can we achieve this configuration using the GUI for someone that is not command line savvy?" 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-18-2014 03:33 PM

Sure, all of that can be setup via ASDM.

Looking at the second example you posted above, they direct you first to modify:

ACL for split tunnel for the AnyConnect clients

This in Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profile > (chose profile and select Edit) > (choose "Manage" next to Group Policy) > Edit > Advanced > Split Tunneling > Make sure policy does not say "Inherit" but rather "Tunnel Network List Below" > Unselect "Inherit" next to Network List and then "Manage". Enter your desired networks into the GUI in that dialog box. Click OK all the way back to the main ASDM window and hit apply.

You then modify:

crypto ACL for the Site-to-Site tunnel

For that, go to Configuration > Site-to_site VPN > Connection Profiles > (choose your profile and select edit) > Add the VPN client address pool network to the list of local network among the protect networks. Again, click OK all the way back to the main ASDM window and hit apply.

Next, allow the

ASA to redirect back out the same interface traffic that it receives

..is set under Configuration > Device Setup > Interfaces. (check box in bottom of that screen). Click Apply

Finally, there is the NAT exemption. For that go to Configuration > Firewall > NAT Rules. Add a NAT Rule before Network Object Rules with Source Interface Outside, Source Address your VPN address pool, Destination address to include the remote subnets, and Action is Static Source NAT type with source address and destination address remaining as original (i.e., no NAT). One last time click OK all the way back to the main ASDM window and hit apply. Save and test.

Good luck. Please remember to rate helpful posts and mark when your question is answered.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-18-2014 03:33 PM

Sure, all of that can be setup via ASDM.

Looking at the second example you posted above, they direct you first to modify:

ACL for split tunnel for the AnyConnect clients

This in Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profile > (chose profile and select Edit) > (choose "Manage" next to Group Policy) > Edit > Advanced > Split Tunneling > Make sure policy does not say "Inherit" but rather "Tunnel Network List Below" > Unselect "Inherit" next to Network List and then "Manage". Enter your desired networks into the GUI in that dialog box. Click OK all the way back to the main ASDM window and hit apply.

You then modify:

crypto ACL for the Site-to-Site tunnel

For that, go to Configuration > Site-to_site VPN > Connection Profiles > (choose your profile and select edit) > Add the VPN client address pool network to the list of local network among the protect networks. Again, click OK all the way back to the main ASDM window and hit apply.

Next, allow the

ASA to redirect back out the same interface traffic that it receives

..is set under Configuration > Device Setup > Interfaces. (check box in bottom of that screen). Click Apply

Finally, there is the NAT exemption. For that go to Configuration > Firewall > NAT Rules. Add a NAT Rule before Network Object Rules with Source Interface Outside, Source Address your VPN address pool, Destination address to include the remote subnets, and Action is Static Source NAT type with source address and destination address remaining as original (i.e., no NAT). One last time click OK all the way back to the main ASDM window and hit apply. Save and test.

Good luck. Please remember to rate helpful posts and mark when your question is answered.

 

0 Helpful

Go to solution
esuturie
Level 1
Level 1
In response to Marvin Rhoads

‎07-18-2014 03:33 PM

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents