Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
1
Replies

How to access the local network of a tunneled site via cisco any connect

Herald Sison
Level 3
Level 3

‎07-25-2019 10:57 PM

Hi all,

 

Hope you have a good day.

 

I have been wondering on why all remote users via cisco anyconnect cannot access the local network of a remote tunneled site?

 

The scenario is i have a 2 sites the Site A connected via Site to Site VPN to Site B and i have setup a cisco anyconnect VPN in Site A and now i want the remote users to access the local network of Site A (apparently they can access it now) and also the local network of Site B (they cannot access it now and no cisco any connect VPN setup on this site).

 

anyone can show me a sample configuration for Cisco ASA5506 either ASDM or CLI? 

 

one more thing:

 

I have a problem with my cisco anyconnect VPN. Everytime we connect to it and try to browse any browser, i get a very slow connection sometimes it gives me no internet connection.

 

Hope to hear from you soon.

 

Thank you so much everyone 

 

 

 

Labels:
0 Helpful
1 Reply 1

shgrover
Cisco Employee
Cisco Employee

‎07-26-2019 06:39 AM - edited ‎07-26-2019 06:41 AM

Hello Herald,

 

I believe the topology right now is:-

 

----networkX ---Site A====site to site IPSEC====SiteB-- --networkY---

                            ||

                            ||

                   Anyconnect ( PoolZ)

 

Let's assume the local network behind Site A is  networkX , Site B is networkY and Anyconnect ip pool is defined by PoolZ.


you have a crypto acl on Site A  which has an ACE (networkX to networkY) similarly on Site B (networkY to networkX)
On Site A, please add to these ACL's ( PoolZ to networkY ) and on Site B ( networkY to PoolZ), you will of course have to define an object or network, wont be able to add the pool directly.
 on the Anyconnect config, You will need to add the networkY to the split ACL so the anyconnect users have access to this network behind Site B. This will work only if the Anyconnect split tunnel policy is "includeall". 

 

Make sure you have a nat statement defined on the outside interface of Site A which will exempt traffic going from Anyconnect to Site B, it will be outside interface to outside interface.

something like this:-

nat (outside,outside) source static poolZ poolZ destination static networkY networkY

I have assumed that you have an ASA however even if you are using routers, the logic remians the same.

Let me know if you face any issues.

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

 

0 Helpful
Customers Also Viewed These Support Documents