Firewall Wizards mailing list archives
Re: Cisco AnyConnect Remote Access to L2L tunnels
From: Chris Myers <clmmacunix () charter net>
Date: Wed, 17 Jun 2009 21:48:28 -0500
You might play around with intra vs. inter interface, because they may not go to the internet because they are going back out the same interface they came in. This would create a spoofing incident. It may not be seen in the logs. Cisco is synonymous with dropping things silently.
Chris Myers clmmacunix () charter net John 1:17For the Law was given through Moses; grace and truth were realized through Jesus Christ.
Go Vols!!!! On Jun 14, 2009, at 9:41 AM, Todd Simons wrote:
Eric- This ASA doesn't handle connecting SiteA to SiteB or SiteC, they have their own connections in their own ASAs. This is technically "SiteD", which locally uses 192.168.168.0 for all internal hosts and remote access hosts. The local and remote access hosts need to access SiteA, SiteB, and SiteC. At this point I have this working via Hairpinning, my only problem at this point is that RemoteAccess VPNs (which are a global vpn setup)can't browse the internet or use external hosts that are not part of mysites. ~Todd -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Eric Gearhart Sent: Saturday, June 13, 2009 2:40 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels Todd - in your config this section really piqued my interest: access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66 access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 63.x.x.208 255.255.255.248 access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162 access-list SiteC extended permit ip 192.168.168.0 255.255.255.0 63.x.x.224 255.255.255.224 access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162 access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66 access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 63.x.x.208 255.255.255.248 access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 63.x.x.224 255.255.255.224 It looks to me like you have each site defined in the same class C subnet, 192.168.168. Is that correct? AFAIK that won't work... you have to break out different sites into their own individual subnets. Also you only need to define interesting traffic ACLs and nonat ACLs for your inside subnets on both sides of the tunnel, not to the peer IP... here's an example that I hope illustrates things: In my example: SiteA is 192.168.10.0/24 SiteB is 192.168.20.0/24 SiteC is 192.168.30.0/24 ! So you're defining your 'SiteA to SiteB' interesting traffic here... basically you're saying 'from SiteA to SiteB encrypt this traffic': access-list SiteAtoSiteB extended permit ip 192.168.168.10 255.255.255.0 192.168.20.0 255.255.255.0 ! Here is SiteA to SiteC: access-list SiteAtoSiteC extended permit ip 192.168.168.10 255.255.255.0 192.168.30.0 255.255.255.0 ! Here the nonat statements are defined... you want to tell the ASA to not nat from SiteA's subnet to SiteB's subnet, not the peer IP address of the L2L tunnel: access-list insideNoNat extended permit ip 192.168.168.10 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideNoNat extended permit ip 192.168.168.10 255.255.255.0 192.168.30.0 255.255.255.0 -- Eric http://nixwizard.net _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards ## Scanned by Delphi Technology, Inc. ## CONFIDENTIALITY NOTICEThis e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it._______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 10)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Eric Gearhart (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Farrukh Haroon (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels schilling (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Christopher J. Wargaski (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Christopher J. Wargaski (Jun 14)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 14)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Eric Gearhart (Jun 14)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 16)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Chris Myers (Jun 19)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Eric Gearhart (Jun 19)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 23)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 12)