Re: Cisco AnyConnect Remote Access to L2L tunnels

["Todd Simons" <tsimons () delphi-tech com>]

Eric-

This ASA doesn't handle connecting SiteA to SiteB or SiteC, they have
their own connections in their own ASAs.

This is technically "SiteD", which locally uses 192.168.168.0 for all
internal hosts and remote access hosts.  The local and remote access
hosts need to access SiteA, SiteB, and SiteC.

At this point I have this working via Hairpinning, my only problem at
this point is that RemoteAccess VPNs (which are a global vpn setup)
can't browse the internet or use external hosts that are not part of my
sites.

~Todd

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
Eric Gearhart
Sent: Saturday, June 13, 2009 2:40 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels

Todd - in your config this section really piqued my interest:

access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host
A.x.x.66
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host
B.x.x.162
access-list SiteC extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host B.x.x.162
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host A.x.x.66
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224

It looks to me like you have each site defined in the same class C
subnet, 192.168.168. Is that correct?

AFAIK that won't work... you have to break out different sites into
their own individual subnets.

Also you only need to define interesting traffic ACLs and nonat ACLs
for your inside subnets on both sides of the tunnel, not to the peer
IP... here's an example that I hope illustrates things:

In my example:
SiteA is 192.168.10.0/24
SiteB is 192.168.20.0/24
SiteC is 192.168.30.0/24

! So you're defining your 'SiteA to SiteB' interesting traffic here...
basically you're saying 'from SiteA to SiteB encrypt this traffic':
access-list SiteAtoSiteB extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0

! Here is SiteA to SiteC:
access-list SiteAtoSiteC extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

! Here the nonat statements are defined... you want to tell the ASA to
not nat from SiteA's subnet to SiteB's  subnet, not the peer IP
address of the L2L tunnel:
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

--
Eric
http://nixwizard.net
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

## Scanned by Delphi Technology, Inc. ##

CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is 
addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender 
immediately and destroy this e-mail and all copies of it.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards