Cisco AnyConnect Remote Access to L2L tunnels

Hello All

We are using the Cisco AnyConnect Client for our remote user’s access, with a global tunnel.   Internally we have a few corporate locations that are linked by L2L tunnels (lets call it Site A, Site B and Site C).   The Remote Access clients who connect to Site A can’t seem to use the L2L to Site B and Site C.

Has anyone seen a document explaining how to do this?

Todd Simons

Lead IT Engineer

TSimons@...

 

Delphi Technology, Inc.

303 George Street, 5th Floor

New Brunswick, NJ  08901

www.delphi-tech.com

 

Experience, Innovation... Results.

## Scanned by Delphi Technology, Inc. ##

CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Hey Todd--

   A couple questions:
1) Is the ASA a peer for the L2L tunnels?
2) Are crypto maps for the L2L tunnels on the same interface as the
AnyConnect VPN?
3) Do you have the hairpin enabled?
4) Can you send a copy of the ASA configuration?

cjw



On Wed, Jun 10, 2009 at 1:17 PM, Todd Simons<tsimons@...> wrote: _______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

On Wed, Jun 10, 2009 at 11:17 AM, Todd Simons<tsimons@...> wrote:
So basically, you either have to drop the VPN clients that connect
into a subnet that is already able to get across the tunnel, or add a
new subnet and setup the "interesting traffic" ACL to have your new
subnet in it on both sides of the tunnel.

Also if you add a new subnet, you'd have to add that new tunnel to
your split tunnel list, if you're doing that.

Please feel free to ask if you have questions about all this.... I'm
doing what you describe right now on my ASA at work, and it works like
a champ... at least that lets you know it is entirely possible

--
Eric
http://nixwizard.net
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Inline...

A couple questions:
1) Is the ASA a peer for the L2L tunnels?
>>Yes

2) Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN?
>>Yes

3) Do you have the hairpin enabled?
>>I think so (lines 48/49 in attached txt)

4) Can you send a copy of the ASA configuration?
>>Attached.   Note that this is not a production ASA, config is still a work in progress.  This should be considered "MainSite" and SiteA, SiteB, SiteC are satellites, RA VPNs terminate here at MainSite and should give access to SiteA, Site and (eventually) SiteC.   SiteA has 2 IPSEC Networks, the remote gateway & a /29, SiteB just has the remote gateway, Site C will just be a /27.   The tunnels that use the remote gateway are actually used for ingress traffic from Sites.  

Thanks



On Wed, Jun 10, 2009 at 1:17 PM, Todd Simons<tsimons@...> wrote: ## Scanned by Delphi Technology, Inc. ##
asa# show run
: Saved
:
ASA Version 8.2(1)
!
hostname asa
domain-name SomeDomain.com
enable password MLadvSXcs1qpcQS3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.168.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 63.x.x.220 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time EDT-4 recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 204.117.214.10
 name-server 204.97.212.10
 domain-name somedomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 63.x.x.208 255.255.255.248
access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162
access-list SiteC extended permit ip 192.168.168.0 255.255.255.0 63.x.x.224 255.255.255.224
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 63.x.x.208 255.255.255.248
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0 63.x.x.224 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.168.201-192.168.168.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list insideNoNat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 63.x.x.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3
http server enable 2456
http 0.0.0.0 0.0.0.0 inside
http A.xxx.xxx.66.64 255.255.255.224 outside
http B.x.x.160 255.255.255.248 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set S2SVPN esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto map OutsideVPN 192 match address SiteA
crypto map OutsideVPN 192 set pfs
crypto map OutsideVPN 192 set peer A.x.x.66
crypto map OutsideVPN 192 set transform-set S2SVPN
crypto map OutsideVPN 192 set nat-t-disable
crypto map OutsideVPN 193 match address SiteB
crypto map OutsideVPN 193 set pfs
crypto map OutsideVPN 193 set peer B.x.x.162
crypto map OutsideVPN 193 set transform-set S2SVPN
crypto map OutsideVPN 193 set nat-t-disable
crypto map OutsideVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh A.xxx.xxx.66.64 255.255.255.224 outside
ssh B.x.x.160 255.255.255.248 outside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.168.221-192.168.168.229 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 69.94.125.29 source outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 192.168.168.1
 vpn-tunnel-protocol svc webvpn
 default-domain value SomeDomain.com
 address-pools value SSLClientPool
group-policy IPsecTunnels internal
group-policy IPsecTunnels attributes
 vpn-filter none
 vpn-tunnel-protocol IPSec
 pfs enable
username tmsimons password G0y5hVQK8JjIb56Y encrypted privilege 15
username tmsimons attributes
 vpn-group-policy SSLClientPolicy
 service-type admin
tunnel-group A.x.x.66 type ipsec-l2l
tunnel-group A.x.x.66 general-attributes
 default-group-policy IPsecTunnels
tunnel-group A.x.x.66 ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group B.x.x.162 type ipsec-l2l
tunnel-group B.x.x.162 general-attributes
 default-group-policy IPsecTunnels
tunnel-group B.x.x.162 ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0080a5d48e560bb40191b1b8bfc77ee7
: end
asa#

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

I am pretty sure one of the two session discussed that.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&topicID=.ee6b2b8&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc18a4d

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&topicID=.ee6b2b8&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc16976

Schiling

On Wed, Jun 10, 2009 at 2:17 PM, Todd Simons<tsimons@...> wrote: _______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Hey Todd--

   I have not tried this before with AnyConnect VPNs, however, at one
time, I think I had a similar set up with remote access IPsec VPNs and
L2L tunnels.

   OK, you have the hairpin enabled and you the SSLClientPool IP block
is included in the ACL that marks interesting traffic. Good.

   Have you watched the logs when an AnyConnect client is trying to
access one of the remote L2L VPN locations? I am thinking right now
that the "crypto map OutsideVPN 192 set nat-t-disable" may be the
issue. Can you try enabling NAT-T

cjw



On Thu, Jun 11, 2009 at 7:47 AM, Todd Simons<tsimons@...> wrote: _______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

I got it running (hairpin +NAT solved it), but I don't have external traffic (it's a global tunnel).   For example Internal hosts to www.google.com works, but it doesn't work from a RA VPN.  The RA VPN's use an IP Pool of addresses in my LAN subnet

In my logs I see the "Built inbound TCP" connection, but I never get a response.

Here's my NAT statements:
global (outside) 1 interface
nat (inside) 0 access-list insideNoNat
nat (inside) 1 0.0.0.0 0.0.0.0

the insideNoNat contains our known addresses, no references to public subnets.

~Todd

-----Original Message-----
From: Christopher J. Wargaski [mailto:wargo1@...]
Sent: Friday, June 12, 2009 11:26 AM
To: Todd Simons
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels

Hey Todd--

   I have not tried this before with AnyConnect VPNs, however, at one
time, I think I had a similar set up with remote access IPsec VPNs and
L2L tunnels.

   OK, you have the hairpin enabled and you the SSLClientPool IP block
is included in the ACL that marks interesting traffic. Good.

   Have you watched the logs when an AnyConnect client is trying to
access one of the remote L2L VPN locations? I am thinking right now
that the "crypto map OutsideVPN 192 set nat-t-disable" may be the
issue. Can you try enabling NAT-T

cjw



On Thu, Jun 11, 2009 at 7:47 AM, Todd Simons<tsimons@...> wrote:
## Scanned by Delphi Technology, Inc. ##

CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Todd - in your config this section really piqued my interest:

access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host A.x.x.66
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host B.x.x.162
access-list SiteC extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host B.x.x.162
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host A.x.x.66
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224

It looks to me like you have each site defined in the same class C
subnet, 192.168.168. Is that correct?

AFAIK that won't work... you have to break out different sites into
their own individual subnets.

Also you only need to define interesting traffic ACLs and nonat ACLs
for your inside subnets on both sides of the tunnel, not to the peer
IP... here's an example that I hope illustrates things:

In my example:
SiteA is 192.168.10.0/24
SiteB is 192.168.20.0/24
SiteC is 192.168.30.0/24

! So you're defining your 'SiteA to SiteB' interesting traffic here...
basically you're saying 'from SiteA to SiteB encrypt this traffic':
access-list SiteAtoSiteB extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0

! Here is SiteA to SiteC:
access-list SiteAtoSiteC extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

! Here the nonat statements are defined... you want to tell the ASA to
not nat from SiteA's subnet to SiteB's  subnet, not the peer IP
address of the L2L tunnel:
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

--
Eric
http://nixwizard.net
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Eric-

This ASA doesn't handle connecting SiteA to SiteB or SiteC, they have
their own connections in their own ASAs.

This is technically "SiteD", which locally uses 192.168.168.0 for all
internal hosts and remote access hosts.  The local and remote access
hosts need to access SiteA, SiteB, and SiteC.

At this point I have this working via Hairpinning, my only problem at
this point is that RemoteAccess VPNs (which are a global vpn setup)
can't browse the internet or use external hosts that are not part of my
sites.

~Todd

-----Original Message-----
From: firewall-wizards-bounces@...
[mailto:firewall-wizards-bounces@...] On Behalf Of
Eric Gearhart
Sent: Saturday, June 13, 2009 2:40 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels

Todd - in your config this section really piqued my interest:

access-list SiteA extended permit ip 192.168.168.0 255.255.255.0 host
A.x.x.66
access-list SiteA extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list SiteB extended permit ip 192.168.168.0 255.255.255.0 host
B.x.x.162
access-list SiteC extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host B.x.x.162
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
host A.x.x.66
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.208 255.255.255.248
access-list insideNoNat extended permit ip 192.168.168.0 255.255.255.0
63.x.x.224 255.255.255.224

It looks to me like you have each site defined in the same class C
subnet, 192.168.168. Is that correct?

AFAIK that won't work... you have to break out different sites into
their own individual subnets.

Also you only need to define interesting traffic ACLs and nonat ACLs
for your inside subnets on both sides of the tunnel, not to the peer
IP... here's an example that I hope illustrates things:

In my example:
SiteA is 192.168.10.0/24
SiteB is 192.168.20.0/24
SiteC is 192.168.30.0/24

! So you're defining your 'SiteA to SiteB' interesting traffic here...
basically you're saying 'from SiteA to SiteB encrypt this traffic':
access-list SiteAtoSiteB extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0

! Here is SiteA to SiteC:
access-list SiteAtoSiteC extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

! Here the nonat statements are defined... you want to tell the ASA to
not nat from SiteA's subnet to SiteB's  subnet, not the peer IP
address of the L2L tunnel:
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.20.0 255.255.255.0
access-list insideNoNat extended permit ip 192.168.168.10
255.255.255.0 192.168.30.0 255.255.255.0

--
Eric
http://nixwizard.net
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

## Scanned by Delphi Technology, Inc. ##

CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

You might play around with intra vs. inter interface, because they may  
not go to the internet because they are going back out the same  
interface they came in. This would create a spoofing incident. It may  
not be seen in the logs. Cisco is synonymous with dropping things  
silently.


Chris Myers
clmmacunix@...

John 1:17
For the Law was given through Moses; grace and truth were realized  
through Jesus Christ.




    Go Vols!!!!

On Jun 14, 2009, at 9:41 AM, Todd Simons wrote:

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

On Sun, Jun 14, 2009 at 7:41 AM, Todd Simons <tsimons@...> wrote:

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

## Scanned by Delphi Technology, Inc. ##

CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards