Solved: Re: How can I create a Cisco AnyConnect VPN to secondary internal network

sm100 · ‎06-05-2018

Hi,

I am trying to create a Cisco AnyConnect VPN connection to a secondary internal network. Is this possible? Below is a diagram for an example of how our network is set up...

Has anyone else run into this before? Could someone please give me an example how to set this up? My router is a TP-Link router and my firewall is the ASA-5506 model.

UPDATE1: I noticed I had the wrong IP address in the picture for the Computer in Office2.

UPDATE2: The desired connection is actually meant to go to the internal network of 172.16.2.0/24; not just that one computer.

Francesco Molino · ‎06-09-2018

Ok no pb. Anyway, you don't have too much choice in your design, unless you decide to remove your router and attach the public subnet directly to your asa.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-05-2018

Hi,

Do you want to build up the anyconnect session to your Office2 router or on your WAN IP and be routable from anyconnect client to your Office2?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sm100 · ‎06-05-2018

Hi Francesco,

I am not sure if I understand your question completely.

I want to build the anyconnect client to connect to the Internal Network router so that I can connect to the computer inside the Office2 network from any location outside.

Thanks.

Francesco Molino · ‎06-05-2018

Ok. you want to build anyconnect to your WAN router/firewall. what device do you have facing the internet where you have your public ip?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sm100 · ‎06-05-2018

I have two WAN IPs on two different routers (as the shown in the example). The first router (TP-Link) is provided by the ISP is facing the public IP. The second is an ASA-5506 firewall. I want to build the AnyConnect to the ASA-5506 firewall.

Francesco Molino · ‎06-05-2018

Ok, follow this guide first: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

When you'll create your split acl, you have to put your office 2 LAN then anyconnect client will be able to access your Office2 LAN.

After you did it, if you have any issue, let me know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sm100 · ‎06-06-2018

Hi Francesco,

I am probably not understanding something but we cannot connect to the firewall from the outside because it has no outside facing IP address. Only the TP-Link router has the Public IP address (see diagram above).

The Anyconnect VPN used to work just fine before we switched to another ISP. The new ISP provided us with this TP-Link router which sits facing the outside and has the firewall connected to it on the LAN side of the TP-Link router. The TP-Link router has these system routes set up.

I tried following the article at the link you sent in the previous message but I can't get it to work because the WAN IP (192.168.1.3) of the firewall is unreachable from the outside.

Francesco Molino · ‎06-07-2018

Yes I understand that you TP-Link router has the public IP. By re-reading my post, I see I've forget to mention, you will need to do a NAT of IPSEC ports/protocol from TP-Link which has the public IP to your ASA outside IP. This allows users to connect to public IP and get redirected to your ASA for VPN to come up.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sm100 · ‎06-07-2018

I'm sorry but don't see where the NAT settings are on this TP-Link Router. Here is the menu in the router...

Francesco Molino · ‎06-07-2018

I said ipsec but for anyconnect it's only https.
You have a menu called forwarding. The real name would port forwarding.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sm100 · ‎06-08-2018

Hi Francesco,

Thank you all your effort in trying to assist me with this but port forwarding doesn't seem to be a good option for us at this time.

Thanks again!

Francesco Molino · ‎06-09-2018

Ok no pb. Anyway, you don't have too much choice in your design, unless you decide to remove your router and attach the public subnet directly to your asa.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sm100 · ‎06-12-2018

Hi Francesco,

Thank you very for your input! We are considering what our options... such as setting the public router up in Bridged mode.

Thanks again!

Francesco Molino · ‎06-13-2018

No problem. Let me know if you need more help

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question