Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco AnyConnect Remote Access to L2L tunnels

From: Eric Gearhart <eric () nixwizard net>
Date: Fri, 19 Jun 2009 16:12:59 -0700
On Sun, Jun 14, 2009 at 7:41 AM, Todd Simons <tsimons () delphi-tech com>wrote:


Eric-

At this point I have this working via Hairpinning, my only problem at
this point is that RemoteAccess VPNs (which are a global vpn setup)
can't browse the internet or use external hosts that are not part of my
sites.

~Todd



Todd,

Sorry about the confusion... glad to hear you have things working.

Re: the remote access clients' Internet access... you can use split tunnels
to have clients connect but only your tunnel subnets are routed over their
tunnel connection... regular internet access would go through the clients'
ISP, not over the tunnel. Is that an option?

If that's not an option, I think that you would have to setup dynamic NAT on
your outside interface and setup NAT exceptions for your internal subnets
for the RA clients to have regular Internet but still hit the tunnel
correctly... Cisco sees remote VPN clients as incoming through the outside
interface (which is annoying.. I wish they'd just setup a virtual tunnel
interface on the ASA like they do on their router VPN tunnels....)

I haven't set this up though so I'm shooting in the dark a bit on this
one... I have split tunnels setup for my work ASA VPN and it works quite
well

--
Eric
http://nixwizard.net

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: