Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
3
Replies

Simultaneous VPN with different attributes

Go to solution
Miguel Alejandro Callejas Pastor
Level 1
Level 1

‎09-28-2016 10:49 AM

Hi everyone,

I have been struggling with an ASA for weeks now because of very particular requirements. Our offices have just started using AnyConnect as a main VPN Client. Everything was working ok. 

But now I have a group of Apple clients that will not use the AnyConnect client and need to use the built-in IPSec Client in macOS Sierra. So I configured another Tunnel Group and everything was working ok. 

Now I'm stuck. These Apple clients (that use the built-in client) need to redirect ALL TRAFFIC to the ASA and use the corporate internet access to reach the internet. This VPN must also work from inside the corporate network because the need to bypass A LOT of restrictions (websockets, filtering, etc.). 

I have this:

For AnyConnect I configured:

domain-name XX.com
ip local pool VPNPool 172.16.10.10-172.16.10.200 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 20
!
interface Ethernet0/1
 switchport access vlan 10
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 172.16.11.1 255.255.255.0
!
interface Vlan20
 nameif outside
 security-level 0
 ip address 190.X.X.59 255.255.255.240
!
dns server-group DefaultDNS
 name-server 10.100.1.9
 name-server 8.8.8.8
 domain-name XX.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network LANCR-MAIN
 subnet 10.100.0.0 255.255.254.0
object network LANVPN
 subnet 172.16.10.0 255.255.255.0
!
access-list Split-Tunnel-ACL standard permit 10.100.0.0 255.255.254.0
access-list Split-Tunnel-ACL standard permit 172.16.10.0 255.255.255.0
!
nat (inside,outside) source static LANCR-MAIN LANCR-MAIN destination static LANVPN LANVPN
nat (inside,outside) source dynamic LANCR-MAIN interface
!
route outside 0.0.0.0 0.0.0.0 190.X.X.57 1
route inside 10.100.0.0 255.255.254.0 172.16.11.2 1
!
ip verify reverse-path interface inside
ip verify reverse-path interface outside
!
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0// Mac, Windows and Linux
 anyconnect enable
 tunnel-group-list enable
!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
!
group-policy GroupPolicy_VPNCR internal
group-policy GroupPolicy_VPNCR attributes
 wins-server none
 dns-server value 10.100.1.9 8.8.8.8
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel-ACL
 default-domain value XX.com
!
tunnel-group VPN_AnyConnect type remote-access
tunnel-group VPN_AnyConnect general-attributes
 address-pool VPNPool
 default-group-policy GroupPolicy_VPNCR
tunnel-group VPN_AnyConnect webvpn-attributes
 group-alias VPN_AnyConnect enable
!
username mcallejas password cisco123 encrypted
username mcallejas attributes
 service-type remote-access
!

Then, to have the Built-in MacOS client functional:

I just added:

!
access-list inside_access_in extended permit ip any any
access-list no_nat extended permit ip 10.100.0.0 255.255.254.0 172.16.10.0 255.255.255.0
access-list no_nat extended permit ip 10.100.0.0 255.255.254.0 172.16.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.0
access-list outside_access_in extended permit ip any any
!
ip local pool CTVPN-Pool 172.16.20.10-172.16.20.20 mask 255.255.255.192
!
object network LANVPNBuiltIn
 subnet 172.16.20.0 255.255.255.0
!
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
!
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
!
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
!
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
!
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
webvpn
 group-policy DefaultRAGroup internal
 group-policy DefaultRAGroup attributes
 dns-server value 10.100.1.9
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel-ACL
 tunnel-group DefaultRAGroup general-attributes
 address-pool CTVPN-Pool
!
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key password123
 tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!

Please help me. Am I doing something wrong?

I just want people that connects through this Built-in Mac OS client can redirect all traffic to the VPN and use the internet from it. Even (specially) from inside the same company (10.100.0.0/23).

Thanks,

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JP Miranda Z
Cisco Employee
Cisco Employee
In response to Miguel Alejandro Callejas Pastor

‎09-28-2016 08:01 PM

Hi Miguel,

Considering you changed from split tunnel to tunnel all you need to configure u-turn on the ASA so your clients can connect to your outside and go back to the outside for internet traffic:

same-security-traffic permit intra-interface

object network LANVPNBuiltIn
nat (outside,outside) dynamic interface

After applying those 2 commands let me know if you still have internet connectivity issues.

Uturn configuration guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

Hope this info helps!!

Rate if helps you!! 

-JP-

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Miguel Alejandro Callejas Pastor
Level 1
Level 1

‎09-28-2016 12:13 PM

As un update, I have tried this change:

 group-policy DefaultRAGroup attributes
  dns-server value 10.100.1.9
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  split-tunnel-policy tunnelall
  tunnel-group DefaultRAGroup general-attributes
  address-pool CTVPN-Pool

All traffic is redirected to the ASA, which is good. But I lost internet access. The ASA does not forward traffic (using PAT) to the internet. 

Best regards,

Miguel

0 Helpful

Go to solution
JP Miranda Z
Cisco Employee
Cisco Employee
In response to Miguel Alejandro Callejas Pastor

‎09-28-2016 08:01 PM

Hi Miguel,

Considering you changed from split tunnel to tunnel all you need to configure u-turn on the ASA so your clients can connect to your outside and go back to the outside for internet traffic:

same-security-traffic permit intra-interface

object network LANVPNBuiltIn
nat (outside,outside) dynamic interface

After applying those 2 commands let me know if you still have internet connectivity issues.

Uturn configuration guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

Go to solution
Miguel Alejandro Callejas Pastor
Level 1
Level 1
In response to JP Miranda Z

‎09-29-2016 06:39 AM

Thanks! 

That worked perfectly!

Although I have a really weird issue now. When I share internet from an iPhone (hotspot) and use the AnyConnect client, even if I have split tunnel configure and the "Allow LAN access" checked, the traffic is redirected all to the ASA.

With the AnyConnect the should only redirect the interesting traffic and use the local internet access (in the client side) to reach the internet.

It only happens with the iPhone, every other internet connection has no problems.

Regards

Miguel

0 Helpful
Customers Also Viewed These Support Documents