Firewall Wizards mailing list archives

Re: Cisco AnyConnect Remote Access to L2L tunnels

From: "Todd Simons" <tsimons () delphi-tech com>
Date: Mon, 22 Jun 2009 20:52:44 -0400

Adding the dynamic NAT on the outside interface fixed it!  Thanks!

From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
Eric Gearhart
Sent: Friday, June 19, 2009 7:13 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels

On Sun, Jun 14, 2009 at 7:41 AM, Todd Simons <tsimons () delphi-tech com>
wrote:

        Eric-

        At this point I have this working via Hairpinning, my only
problem at
        this point is that RemoteAccess VPNs (which are a global vpn
setup)
        can't browse the internet or use external hosts that are not
part of my
        sites.

        ~Todd

Todd,

Sorry about the confusion... glad to hear you have things working.

Re: the remote access clients' Internet access... you can use split
tunnels to have clients connect but only your tunnel subnets are routed
over their tunnel connection... regular internet access would go through
the clients' ISP, not over the tunnel. Is that an option?

If that's not an option, I think that you would have to setup dynamic
NAT on your outside interface and setup NAT exceptions for your internal
subnets for the RA clients to have regular Internet but still hit the
tunnel correctly... Cisco sees remote VPN clients as incoming through
the outside interface (which is annoying.. I wish they'd just setup a
virtual tunnel interface on the ASA like they do on their router VPN
tunnels....)

I haven't set this up though so I'm shooting in the dark a bit on this
one... I have split tunnels setup for my work ASA VPN and it works quite
well

--
Eric 
http://nixwizard.net

## Scanned by Delphi Technology, Inc. ##
CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is 
addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender 
immediately and destroy this e-mail and all copies of it.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Cisco AnyConnect Remote Access to L2L tunnels, (continued)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Farrukh Haroon (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels schilling (Jun 12)
- Re: Cisco AnyConnect Remote Access to L2L tunnels Christopher J. Wargaski (Jun 12)
  - Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 12)
    - Re: Cisco AnyConnect Remote Access to L2L tunnels Christopher J. Wargaski (Jun 14)
    - Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 14)
    - Re: Cisco AnyConnect Remote Access to L2L tunnels Eric Gearhart (Jun 14)
    - Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 16)
    - Re: Cisco AnyConnect Remote Access to L2L tunnels Chris Myers (Jun 19)
    - Re: Cisco AnyConnect Remote Access to L2L tunnels Eric Gearhart (Jun 19)
    - Re: Cisco AnyConnect Remote Access to L2L tunnels Todd Simons (Jun 23)