Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels



Todd - in your config this section really piqued my interest:

access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162
access-list SiteC extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host B.x.x.162
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host A.x.x.66
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224

It looks to me like you have each site defined in the same class C
subnet, 192.168.168. Is that correct?

AFAIK that won't work... you have to break out different sites into
their own individual subnets.

Also you only need to define interesting traffic ACLs and nonat ACLs
for your inside subnets on both sides of the tunnel, not to the peer
IP... here's an example that I hope illustrates things:

In my example:
SiteA is 192.168.10.0/24
SiteB is 192.168.20.0/24
SiteC is 192.168.30.0/24

! So you're defining your 'SiteA to SiteB' interesting traffic here...
basically you're saying 'from SiteA to SiteB encrypt this traffic':
access-list SiteAtoSiteB extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0

! Here is SiteA to SiteC:
access-list SiteAtoSiteC extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

! Here the nonat statements are defined... you want to tell the ASA to
not nat from SiteA's subnet to SiteB's subnet, not the peer IP
address of the L2L tunnel:
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

--
Eric
http://nixwizard.net
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages