Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels



Inline...

A couple questions:
1) Is the ASA a peer for the L2L tunnels?
Yes

2) Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN?
Yes

3) Do you have the hairpin enabled?
I think so (lines 48/49 in attached txt)

4) Can you send a copy of the ASA configuration?
Attached. Note that this is not a production ASA, config is still a work in progress. This should be considered "MainSite" and SiteA, SiteB, SiteC are satellites, RA VPNs terminate here at MainSite and should give access to SiteA, Site and (eventually) SiteC. SiteA has 2 IPSEC Networks, the remote gateway & a /29, SiteB just has the remote gateway, Site C will just be a /27. The tunnels that use the remote gateway are actually used for ingress traffic from Sites.

Thanks



On Wed, Jun 10, 2009 at 1:17 PM, Todd Simons<tsimons@xxxxxxxxxxxxxxx> wrote:
Hello All

We are using the Cisco AnyConnect Client for our remote user's access, with
a global tunnel. Internally we have a few corporate locations that are
linked by L2L tunnels (lets call it Site A, Site B and Site C). The Remote
Access clients who connect to Site A can't seem to use the L2L to Site B and
Site C.

Has anyone seen a document explaining how to do this?

Todd Simons

Lead IT Engineer

TSimons@xxxxxxxxxxxxxxx



Delphi Technology, Inc.

303 George Street, 5th Floor

New Brunswick, NJ 08901

www.delphi-tech.com



Experience, Innovation... Results.

## Scanned by Delphi Technology, Inc. ##

CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the
individual or entity to which it is addressed. This e-mail may contain
information that is privileged, confidential and exempt from disclosure
under applicable law. If you are not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you received this e-mail by
accident, please notify the sender immediately and destroy this e-mail and
all copies of it.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



## Scanned by Delphi Technology, Inc. ##asa# show run
: Saved
:
ASA Version 8.2(1)
!
hostname asa
domain-name SomeDomain.com
enable password MLadvSXcs1qpcQS3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 63.x.x.220 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time EDT-4 recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 204.117.214.10
name-server 204.97.212.10
domain-name somedomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 63.x.x.208 255.255.255.248
access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162
access-list SiteC extended permit ip 192.168.168.0 255.255.255.0 63.x.x.224 255.255.255.224
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 63.x.x.208 255.255.255.248
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 63.x.x.224 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.168.201-192.168.168.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list insideNoNat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 63.x.x.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3
http server enable 2456
http 0.0.0.0 0.0.0.0 inside
http A.xxx.xxx.66.64 255.255.255.224 outside
http B.x.x.160 255.255.255.248 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set S2SVPN esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto map OutsideVPN 192 match address SiteA
crypto map OutsideVPN 192 set pfs
crypto map OutsideVPN 192 set peer A.x.x.66
crypto map OutsideVPN 192 set transform-set S2SVPN
crypto map OutsideVPN 192 set nat-t-disable
crypto map OutsideVPN 193 match address SiteB
crypto map OutsideVPN 193 set pfs
crypto map OutsideVPN 193 set peer B.x.x.162
crypto map OutsideVPN 193 set transform-set S2SVPN
crypto map OutsideVPN 193 set nat-t-disable
crypto map OutsideVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh A.xxx.xxx.66.64 255.255.255.224 outside
ssh B.x.x.160 255.255.255.248 outside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.168.221-192.168.168.229 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 69.94.125.29 source outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.168.1
vpn-tunnel-protocol svc webvpn
default-domain value SomeDomain.com
address-pools value SSLClientPool
group-policy IPsecTunnels internal
group-policy IPsecTunnels attributes
vpn-filter none
vpn-tunnel-protocol IPSec
pfs enable
username tmsimons password G0y5hVQK8JjIb56Y encrypted privilege 15
username tmsimons attributes
vpn-group-policy SSLClientPolicy
service-type admin
tunnel-group A.x.x.66 type ipsec-l2l
tunnel-group A.x.x.66 general-attributes
default-group-policy IPsecTunnels
tunnel-group A.x.x.66 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group B.x.x.162 type ipsec-l2l
tunnel-group B.x.x.162 general-attributes
default-group-policy IPsecTunnels
tunnel-group B.x.x.162 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0080a5d48e560bb40191b1b8bfc77ee7
: end
asa#
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • PIX-515E Default routing and cryptos
    ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... crypto map outside_map 20 match address outside_cryptomap_20 ... isakmp policy 20 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Re: IPSEC to PIX 515
    ... as for the "savvis" interface - we are in teh midst of switching from ... access-group savvist in interface savvist ... crypto map outside 1 match address savvis ... fixup protocol dns maximum-length 512 ...
    (comp.dcom.sys.cisco)
  • Re: PIX-515E Default routing and cryptos
    ... reach the crypto map. ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... isakmp policy 20 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Re: PIX 525 and swapping interface definitions
    ... If the ACL is used in a crypto map or static or nat ... then the extra ACL line referencing the old interface ... access-lists were absolutely mutually exclusive by design, ...
    (comp.dcom.sys.cisco)
  • Cisco ASA, VPN and Veritas Netbackup
    ... Recently we migrated our VPN connection of two office locations from ... crypto map outside_map 80 match address outside_80_cryptomap ... crypto map outside_map 80 set security-association lifetime kilobytes ... tunnel-group 123.123.123.123 general-attributes ...
    (comp.dcom.sys.cisco)