Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configure Cisco VPN client to pass through site to site VPN (GUI)

Hi, 

 

I must say hat's off to the channel and the answers i've seen to achieve this have been great..

 

https://supportforums.cisco.com/discussion/12234631/cisco-asa-5505-vpn-passthrough 

and 

https://supportforums.cisco.com/document/12191196/anyconnect-client-site-site-destination 

 

My question though is "can we achieve this configuration using the GUI for someone that is not command line savvy?" 

Thanks

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Sure, all of that can be

Sure, all of that can be setup via ASDM.

Looking at the second example you posted above, they direct you first to modify:

ACL for split tunnel for the AnyConnect clients

This in Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profile > (chose profile and select Edit) > (choose "Manage" next to Group Policy) > Edit > Advanced > Split Tunneling > Make sure policy does not say "Inherit" but rather "Tunnel Network List Below" > Unselect "Inherit" next to Network List and then "Manage". Enter your desired networks into the GUI in that dialog box. Click OK all the way back to the main ASDM window and hit apply.

You then modify:

crypto ACL for the Site-to-Site tunnel

For that, go to Configuration > Site-to_site VPN > Connection Profiles > (choose your profile and select edit) > Add the VPN client address pool network to the list of local network among the protect networks. Again, click OK all the way back to the main ASDM window and hit apply.

Next, allow the

ASA to redirect back out the same interface traffic that it receives

..is set under Configuration > Device Setup > Interfaces. (check box in bottom of that screen). Click Apply

Finally, there is the NAT exemption. For that go to Configuration > Firewall > NAT Rules. Add a NAT Rule before Network Object Rules with Source Interface Outside, Source Address your VPN address pool, Destination address to include the remote subnets, and Action is Static Source NAT type with source address and destination address remaining as original (i.e., no NAT). One last time click OK all the way back to the main ASDM window and hit apply. Save and test.

Good luck. Please remember to rate helpful posts and mark when your question is answered.

 

2 REPLIES
Hall of Fame Super Silver

Sure, all of that can be

Sure, all of that can be setup via ASDM.

Looking at the second example you posted above, they direct you first to modify:

ACL for split tunnel for the AnyConnect clients

This in Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profile > (chose profile and select Edit) > (choose "Manage" next to Group Policy) > Edit > Advanced > Split Tunneling > Make sure policy does not say "Inherit" but rather "Tunnel Network List Below" > Unselect "Inherit" next to Network List and then "Manage". Enter your desired networks into the GUI in that dialog box. Click OK all the way back to the main ASDM window and hit apply.

You then modify:

crypto ACL for the Site-to-Site tunnel

For that, go to Configuration > Site-to_site VPN > Connection Profiles > (choose your profile and select edit) > Add the VPN client address pool network to the list of local network among the protect networks. Again, click OK all the way back to the main ASDM window and hit apply.

Next, allow the

ASA to redirect back out the same interface traffic that it receives

..is set under Configuration > Device Setup > Interfaces. (check box in bottom of that screen). Click Apply

Finally, there is the NAT exemption. For that go to Configuration > Firewall > NAT Rules. Add a NAT Rule before Network Object Rules with Source Interface Outside, Source Address your VPN address pool, Destination address to include the remote subnets, and Action is Static Source NAT type with source address and destination address remaining as original (i.e., no NAT). One last time click OK all the way back to the main ASDM window and hit apply. Save and test.

Good luck. Please remember to rate helpful posts and mark when your question is answered.

 

New Member

Thanks

Thanks

503
Views
0
Helpful
2
Replies
CreatePlease to create content