Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels



Adding the dynamic NAT on the outside interface fixed it! Thanks!



From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Eric Gearhart
Sent: Friday, June 19, 2009 7:13 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels



On Sun, Jun 14, 2009 at 7:41 AM, Todd Simons <tsimons@xxxxxxxxxxxxxxx>
wrote:

Eric-

At this point I have this working via Hairpinning, my only
problem at
this point is that RemoteAccess VPNs (which are a global vpn
setup)
can't browse the internet or use external hosts that are not
part of my
sites.

~Todd


Todd,

Sorry about the confusion... glad to hear you have things working.

Re: the remote access clients' Internet access... you can use split
tunnels to have clients connect but only your tunnel subnets are routed
over their tunnel connection... regular internet access would go through
the clients' ISP, not over the tunnel. Is that an option?

If that's not an option, I think that you would have to setup dynamic
NAT on your outside interface and setup NAT exceptions for your internal
subnets for the RA clients to have regular Internet but still hit the
tunnel correctly... Cisco sees remote VPN clients as incoming through
the outside interface (which is annoying.. I wish they'd just setup a
virtual tunnel interface on the ASA like they do on their router VPN
tunnels....)

I haven't set this up though so I'm shooting in the dark a bit on this
one... I have split tunnels setup for my work ASA VPN and it works quite
well

--
Eric
http://nixwizard.net


## Scanned by Delphi Technology, Inc. ##
CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: tunnelling
    ... >> address from my provider on interface towards ... > tunnel source FastEthernet0/1 ... > interface FastEthernet0/0 ... > description Internet Facing Link ...
    (comp.dcom.sys.cisco)
  • gif interface listener problem?
    ... First of them is used for common internet access and the second is ... dedicated for a tunnel between offices. ... rl1 - tunnel interface ... add allow ipencap from any to any via rl1 ...
    (freebsd-net)
  • Re: pf rule question (i hope a simple one)
    ... >internet. ... The clients have to be forced to use my squid-proxy. ... Assuming you have a default deny stance simply only allow connections to ... the firewall's internal interface if your lan clients are attempting to ...
    (comp.unix.bsd.openbsd.misc)
  • ASA split tunnel problems
    ... VPN clients get and ip address range 192.168.1.200-192.168.1.210 ... and all the internet in an unencryted way outside VPN (splut tunnel). ...
    (comp.dcom.sys.cisco)
  • Re: tunnelling
    ... > address from my provider on interface towards ... tunnel source FastEthernet0/1 ... description Internet Facing Link ...
    (comp.dcom.sys.cisco)