Firewall Wizards mailing list archives
Re: Cisco AnyConnect Remote Access to L2L tunnels
From: "Todd Simons" <tsimons () delphi-tech com>
Date: Fri, 12 Jun 2009 15:30:48 -0400
I got it running (hairpin +NAT solved it), but I don't have external traffic (it's a global tunnel). For example Internal hosts to www.google.com works, but it doesn't work from a RA VPN. The RA VPN's use an IP Pool of addresses in my LAN subnet In my logs I see the "Built inbound TCP" connection, but I never get a response. Here's my NAT statements: global (outside) 1 interface nat (inside) 0 access-list insideNoNat nat (inside) 1 0.0.0.0 0.0.0.0 the insideNoNat contains our known addresses, no references to public subnets. ~Todd -----Original Message----- From: Christopher J. Wargaski [mailto:wargo1 () gmail com] Sent: Friday, June 12, 2009 11:26 AM To: Todd Simons Cc: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels Hey Todd-- I have not tried this before with AnyConnect VPNs, however, at one time, I think I had a similar set up with remote access IPsec VPNs and L2L tunnels. OK, you have the hairpin enabled and you the SSLClientPool IP block is included in the ACL that marks interesting traffic. Good. Have you watched the logs when an AnyConnect client is trying to access one of the remote L2L VPN locations? I am thinking right now that the "crypto map OutsideVPN 192 set nat-t-disable" may be the issue. Can you try enabling NAT-T cjw On Thu, Jun 11, 2009 at 7:47 AM, Todd Simons<tsimons () delphi-tech com> wrote:
Inline... A couple questions: 1) Is the ASA a peer for the L2L tunnels?Yes2) Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN?Yes3) Do you have the hairpin enabled?I think so (lines 48/49 in attached txt)4) Can you send a copy of the ASA configuration?Attached. Note that this is not a production ASA, config is still a work in progress. This should be considered "MainSite" and SiteA, SiteB, SiteC are satellites, RA VPNs terminate here at MainSite and should give access to SiteA, Site and (eventually) SiteC. SiteA has 2 IPSEC Networks, the remote gateway & a /29, SiteB just has the remote gateway, Site C will just be a /27. The tunnels that use the remote gateway are actually used for ingress traffic from Sites.Thanks
## Scanned by Delphi Technology, Inc. ## CONFIDENTIALITY NOTICE This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 10)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Eric Gearhart (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Farrukh Haroon (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels schilling (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Christopher J. Wargaski (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Christopher J. Wargaski (Jun 14)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 14)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Eric Gearhart (Jun 14)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 16)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Chris Myers (Jun 19)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Eric Gearhart (Jun 19)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 23)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 12)