Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect via site to site from a 2nd firewall

Hi

Wonder if someone can shed some light.

Have the following

SITE A                                                                                                                                                         SITE B

FW1 network 192.168.0.1 255.255.255.0 with Cisco VPN client (172.100.200.x/24) --(site to site VPN tunnel)--   FW1 network 192.168.1.x 255.255.255.0

FW 2 network 192.168.0.2 255.255.255.0 with Anyconnect cliets (172.100.100.x/24)

What I need to accomplish is to get the Anyconnect clients to see the SITE B network when connecting via the Anyconnect client from outside the network.

Got the Cisco VPN client working after a day messing around with the access-lists and no NAT’s and same security traffic command.

Also tried adding routes on both firewalls but got an error about asymmetric.

Wonder if it will even be possible to get the Anyconnect clients to access the network in site B when connected to a 2nd firewall while the site to site vpn is setup on the 1st.

Hope someone can show me the light at the end of the tunnel.

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Anyconnect via site to site from a 2nd firewall

On SiteA

access-list nonat-outside extended permit ip 172.100.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat-outside extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

nat (outside) 0 access-list nonat-outside

Also please be sure to include in the crypto ACL between SiteA and SiteB.

access-list outside_1_cryptomap extended permit ip 172.100.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

Now on your SiteB

Also please be sure to include in the crypto ACL between SiteA and SiteB.

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

Let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

5 REPLIES

Anyconnect via site to site from a 2nd firewall

Hello,

I would be more than glad to help but I cannot understand your deployment, can you share a diagram.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: Anyconnect via site to site from a 2nd firewall

On SiteA

access-list nonat-outside extended permit ip 172.100.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat-outside extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

nat (outside) 0 access-list nonat-outside

Also please be sure to include in the crypto ACL between SiteA and SiteB.

access-list outside_1_cryptomap extended permit ip 172.100.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

Now on your SiteB

Also please be sure to include in the crypto ACL between SiteA and SiteB.

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.100.200.0 255.255.255.0

Let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

New Member

Anyconnect via site to site from a 2nd firewall

Hi Rizwan

Thank you for your reply.

Was not 100% sure what needs to be added to the nonat and access-lists.

Got this working. But what I need to add is tunnel all traffic to the firewall where vpn is connected to so internet traffic goes via FW public ip.

Will this be possible as well?

New Member

Anyconnect via site to site from a 2nd firewall

Hi

Followed the instructions on :

https://supportforums.cisco.com/docs/DOC-11640

These helped me sort out the VPN U-turn as this guy called it..

Anyconnect via site to site from a 2nd firewall

"But what I need to add is tunnel all traffic to the firewall where vpn  is connected to so internet traffic goes via FW public ip."

Try this...

nat (outside) 1 172.100.200.0 255.255.255.0

nat (outside)  1 172.100.100.0 255.255.255.0

The highlighted "1" in the two above statement must corresponding with your outside global command, which mean if your global outisde index number 99, then your highlighted "1" must be replace with 99.

I am sorry for the late reply.  For some reason, I do not receive email alerts for any thread any longer from Cisco Support Community.

I do this as a labor of love, I hope you can understand.

thanks

Rizwan Rafeek

407
Views
0
Helpful
5
Replies