Would like some general guidance in configuring 2 ASAs connected via site-to-site VPN and then have remote AnyConnect client connect to far end site.
Both ASAs are set up for site-to-site VPNs as shown on the attached diagram. Hosts on each LAN segment can ping across the site-to-site tunnel.
One of the ASAs also acts as a terminating endpoint for AnyConnect clients. Remote AnyConnect users can successfully see items on the 192.168.1.X subnet shown on the attached (and items behind the router not shown). Outside interface of the ASAs are the terminating points for all cyrpto.
Where I'm struggling is configuring the ASAs so the Remote AnyConnect users can see the 192.168.2.X network and general guidance is appreciated.
Few things: These IPs are not my production IPs and don't want to include config outputs. No routing other than static routing is configured between ASAs and any layer-3 devices. For those users in the 192.168.1.X subnet their default gateway is configured to be the Router 192.168.1.1. For those users in the 192.168.2.X network their default gateway is configured to be the ASA 192.168.2.1. Attached diagram generally shows how I'm set up and what I'd like to accomplish.
What I'm thinking I need is the following:
Static route on 192.168.2.1 ASA for 192.168.102.0/24 network to ???inside interface of 192.168.1.254???
NAT exemption on both ASAs for the remote user traffic to/from the 192.168.2.X network.
If you can comment, point me to online config examples or comments it would be appreciated.
If I understand correctly, you need to allow the AnyConnect clients (that connect to the ASA), to communicate across the IPsec tunnel to the other ASA and reach 192.168.2.x
What you should do is in the crypto ACL of the Site-to-Site tunnel include another ACE with the 192.168.102.x (which is the pool of the AnyConnect clients).
Also, on the AnyConnect split-tunneling ACL (if using split-tunneling), include the remote 192.168.2.x network).
Let';s say this is your ACL for split tunnel for the AnyConnect clients
access-list split permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
So, you should also include:
access-list split permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0
Let's say that you have this ACL as the crypto ACL for the Site-to-Site tunnel
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
So, add this line:
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0
To allow the ASA to redirect back out the same interface traffic that it receives, you should add
same-security-traffic permit intra-interface
Also, check the NAT configuration to include these networks accordingly.
Hope it makes sense, let's us know any question.
I understand that the end goal is for anyconnect users to communicate over IPSec to 192.168.2.0/x subnet?
You will need:
Left hand ASA:
- routing for 102 subnet to outside (default GW IP is fine)
- net exemttion for traffic from .2 subnet to .102
- modify crypto ACLs for this tunnel to reflect traffic going from .2 subnet to .102
Right hand ASA:
- modify crypto ACLS to allow traffic from .102 to .2
- nat exemption for traffic from .102 to .2
That's about it.
edit: Not sure what happened to Federico's post....
One thing he mentioned and I forgot is the same-security-traffic permit intra-interface to allow U-turn.