Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels


A couple questions:
1) Is the ASA a peer for the L2L tunnels?

2) Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN?

3) Do you have the hairpin enabled?
I think so (lines 48/49 in attached txt)

4) Can you send a copy of the ASA configuration?
Attached. Note that this is not a production ASA, config is still a work in progress. This should be considered "MainSite" and SiteA, SiteB, SiteC are satellites, RA VPNs terminate here at MainSite and should give access to SiteA, Site and (eventually) SiteC. SiteA has 2 IPSEC Networks, the remote gateway & a /29, SiteB just has the remote gateway, Site C will just be a /27. The tunnels that use the remote gateway are actually used for ingress traffic from Sites.


On Wed, Jun 10, 2009 at 1:17 PM, Todd Simons<tsimons@xxxxxxxxxxxxxxx> wrote:
Hello All

We are using the Cisco AnyConnect Client for our remote user's access, with
a global tunnel. Internally we have a few corporate locations that are
linked by L2L tunnels (lets call it Site A, Site B and Site C). The Remote
Access clients who connect to Site A can't seem to use the L2L to Site B and
Site C.

Has anyone seen a document explaining how to do this?

Todd Simons

Lead IT Engineer


Delphi Technology, Inc.

303 George Street, 5th Floor

New Brunswick, NJ 08901

Experience, Innovation... Results.

## Scanned by Delphi Technology, Inc. ##

This e-mail message from Delphi Technology, Inc. is intended only for the
individual or entity to which it is addressed. This e-mail may contain
information that is privileged, confidential and exempt from disclosure
under applicable law. If you are not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you received this e-mail by
accident, please notify the sender immediately and destroy this e-mail and
all copies of it.

firewall-wizards mailing list

## Scanned by Delphi Technology, Inc. ##asa# show run
: Saved
ASA Version 8.2(1)
hostname asa
enable password MLadvSXcs1qpcQS3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address 63.x.x.220
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time EDT-4 recurring
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list SiteA extended permit ip host A.x.x.66
access-list SiteA extended permit ip 63.x.x.208
access-list SiteB extended permit ip host B.x.x.162
access-list SiteC extended permit ip 63.x.x.224
access-list insideNoNat extended permit ip host B.x.x.162
access-list insideNoNat extended permit ip host A.x.x.66
access-list insideNoNat extended permit ip 63.x.x.208
access-list insideNoNat extended permit ip 63.x.x.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list insideNoNat
nat (inside) 1
route outside 63.x.x.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3
http server enable 2456
http inside
http outside
http B.x.x.160 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set S2SVPN esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto map OutsideVPN 192 match address SiteA
crypto map OutsideVPN 192 set pfs
crypto map OutsideVPN 192 set peer A.x.x.66
crypto map OutsideVPN 192 set transform-set S2SVPN
crypto map OutsideVPN 192 set nat-t-disable
crypto map OutsideVPN 193 match address SiteB
crypto map OutsideVPN 193 set pfs
crypto map OutsideVPN 193 set peer B.x.x.162
crypto map OutsideVPN 193 set transform-set S2SVPN
crypto map OutsideVPN 193 set nat-t-disable
crypto map OutsideVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh scopy enable
ssh inside
ssh outside
ssh B.x.x.160 outside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server source outside
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value
vpn-tunnel-protocol svc webvpn
default-domain value
address-pools value SSLClientPool
group-policy IPsecTunnels internal
group-policy IPsecTunnels attributes
vpn-filter none
vpn-tunnel-protocol IPSec
pfs enable
username tmsimons password G0y5hVQK8JjIb56Y encrypted privilege 15
username tmsimons attributes
vpn-group-policy SSLClientPolicy
service-type admin
tunnel-group A.x.x.66 type ipsec-l2l
tunnel-group A.x.x.66 general-attributes
default-group-policy IPsecTunnels
tunnel-group A.x.x.66 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group B.x.x.162 type ipsec-l2l
tunnel-group B.x.x.162 general-attributes
default-group-policy IPsecTunnels
tunnel-group B.x.x.162 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
: end
firewall-wizards mailing list