firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Cisco AnyConnect Remote Access to L2L tunnels (Eric Gearhart)
2. Re: Cisco AnyConnect Remote Access to L2L tunnels (Farrukh Haroon)
3. Re: Cisco AnyConnect Remote Access to L2L tunnels (schilling)
4. Re: Cisco AnyConnect Remote Access to L2L tunnels
(Christopher J. Wargaski)
5. Re: Cisco AnyConnect Remote Access to L2L tunnels (Todd Simons)
----------------------------------------------------------------------
Message: 1
Date: Wed, 10 Jun 2009 23:56:27 -0700
From: Eric Gearhart <eric@nixwizard.net>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5792267e0906102356q4db2e883oc70efe11a9951b88@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
On Wed, Jun 10, 2009 at 11:17 AM, Todd Simons<tsimons@delphi-tech.com> wrote:
> Hello All
>
> We are using the Cisco AnyConnect Client for our remote user?s access, with
> a global tunnel.?? Internally we have a few corporate locations that are
> linked by L2L tunnels (lets call it Site A, Site B and Site C).?? The Remote
> Access clients who connect to Site A can?t seem to use the L2L to Site B and
> Site C.
>
> Has anyone seen a document explaining how to do this?
>
> Todd Simons
>
> Lead IT Engineer
So basically, you either have to drop the VPN clients that connect
into a subnet that is already able to get across the tunnel, or add a
new subnet and setup the "interesting traffic" ACL to have your new
subnet in it on both sides of the tunnel.
Also if you add a new subnet, you'd have to add that new tunnel to
your split tunnel list, if you're doing that.
Please feel free to ask if you have questions about all this.... I'm
doing what you describe right now on my ASA at work, and it works like
a champ... at least that lets you know it is entirely possible
--
Eric
http://nixwizard.net
------------------------------
Message: 2
Date: Thu, 11 Jun 2009 11:51:50 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0906110151r41bca08ft38a30c06d2078da4@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Hello Todd
Please check out this link from Cisco, it details a very similar
configuration:
Please let me know if you need any further help.
Regards
Farrukh
On Wed, Jun 10, 2009 at 9:17 PM, Todd Simons <tsimons@delphi-tech.com>wrote:
> Hello All
>
> We are using the Cisco AnyConnect Client for our remote user?s access,
> with a global tunnel. Internally we have a few corporate locations thatare linked by L2L tunnels (lets call it Site A, Site B and Site C). The
> Remote Access clients who connect to Site A can?t seem to use the L2L to
> Site B and Site C.
>
> Has anyone seen a document explaining how to do this?
>
> *******Todd Simons*
>
> Lead IT Engineer
>
> TSimons@Delphi-Tech.com
>
>
>
> Delphi Technology, Inc.
>
> 303 George Street, 5th Floor
>
> New Brunswick, NJ 08901
>
> *****www.delphi-tech.com* <http://www.delphi-tech.com/>
>
>
>
> Experience, Innovation...******* Results*.
>
>
> ## Scanned by Delphi Technology, Inc. ##
>
> CONFIDENTIALITY NOTICE
> This e-mail message from Delphi Technology, Inc. is intended only for the
> individual or entity to which it is addressed. This e-mail may contain
> information that is privileged, confidential and exempt from disclosure
> under applicable law. If you are not the intended recipient, you are hereby
> notified that any dissemination, distribution or copying of this
> communication is strictly prohibited. If you received this e-mail by
> accident, please notify the sender immediately and destroy this e-mail and
> all copies of it.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090611/75dd0fda/attachment-0001.html>
------------------------------
Message: 3
Date: Thu, 11 Jun 2009 09:54:48 -0400
From: schilling <schilling2006@gmail.com>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<bd3771a60906110654y37b86d70k13e1640319c0ec6f@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
I am pretty sure one of the two session discussed that.
Schiling
On Wed, Jun 10, 2009 at 2:17 PM, Todd Simons<tsimons@delphi-tech.com> wrote:
> Hello All
>
> We are using the Cisco AnyConnect Client for our remote user?s access, with
> a global tunnel.?? Internally we have a few corporate locations that are
> linked by L2L tunnels (lets call it Site A, Site B and Site C).?? The Remote
> Access clients who connect to Site A can?t seem to use the L2L to Site B and
> Site C.
>
> Has anyone seen a document explaining how to do this?
>
> Todd Simons
>
> Lead IT Engineer
>
> TSimons@Delphi-Tech.com
>
>
>
> Delphi Technology, Inc.
>
> 303 George Street,?5th Floor
>
> New Brunswick,?NJ? 08901
>
> www.delphi-tech.com
>
>
>
> Experience, Innovation... Results.
>
> ## Scanned by Delphi Technology, Inc. ##
>
> CONFIDENTIALITY NOTICE
> This e-mail message from?Delphi Technology, Inc. is intended only for the
> individual or entity to which it is addressed. This e-mail may contain
> information that is privileged, confidential and exempt from disclosure
> under applicable law. If you are not the intended recipient, you are hereby
> notified that any dissemination, distribution or copying of this
> communication is strictly prohibited. If you received this e-mail by
> accident, please notify the sender immediately and destroy this e-mail and
> all copies of it.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
Message: 4
Date: Wed, 10 Jun 2009 21:15:00 -0500
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: TSimons@delphi-tech.com
Message-ID:
<17065120906101915p6c69f356t346a7a817a97c4e8@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Hey Todd--
A couple questions:
1) Is the ASA a peer for the L2L tunnels?
2) Are crypto maps for the L2L tunnels on the same interface as the
AnyConnect VPN?
3) Do you have the hairpin enabled?
4) Can you send a copy of the ASA configuration?
cjw
On Wed, Jun 10, 2009 at 1:17 PM, Todd Simons<tsimons@delphi-tech.com> wrote:
> Hello All
>
> We are using the Cisco AnyConnect Client for our remote user?s access, with
> a global tunnel.?? Internally we have a few corporate locations that are
> linked by L2L tunnels (lets call it Site A, Site B and Site C).?? The Remote
> Access clients who connect to Site A can?t seem to use the L2L to Site B and
> Site C.
>
> Has anyone seen a document explaining how to do this?
>
> Todd Simons
>
> Lead IT Engineer
>
> TSimons@Delphi-Tech.com
>
>
>
> Delphi Technology, Inc.
>
> 303 George Street,?5th Floor
>
> New Brunswick,?NJ? 08901
>
> www.delphi-tech.com
>
>
>
> Experience, Innovation... Results.
>
> ## Scanned by Delphi Technology, Inc. ##
>
> CONFIDENTIALITY NOTICE
> This e-mail message from?Delphi Technology, Inc. is intended only for the
> individual or entity to which it is addressed. This e-mail may contain
> information that is privileged, confidential and exempt from disclosure
> under applicable law. If you are not the intended recipient, you are hereby
> notified that any dissemination, distribution or copying of this
> communication is strictly prohibited. If you received this e-mail by
> accident, please notify the sender immediately and destroy this e-mail and
> all copies of it.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
Message: 5
Date: Thu, 11 Jun 2009 08:47:14 -0400
From: "Todd Simons" <tsimons@delphi-tech.com>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: "Christopher J. Wargaski" <wargo1@gmail.com>, "Firewall Wizards
Security Mailing List" <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<6BEB7C2F4C712045AA210FC242934F750819D9EE@NJ-EXCHANGE1.AD.dti>
Keywords: disclaimer
Content-Type: text/plain; charset="iso-8859-1"
Inline...
A couple questions:
1) Is the ASA a peer for the L2L tunnels?
>>Yes
2) Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN?
>>Yes
3) Do you have the hairpin enabled?
>>I think so (lines 48/49 in attached txt)
4) Can you send a copy of the ASA configuration?
>>Attached. Note that this is not a production ASA, config is still a work in progress. This should be considered "MainSite" and SiteA, SiteB, SiteC are satellites, RA VPNs terminate here at MainSite and should give access to SiteA, Site and (eventually) SiteC. SiteA has 2 IPSEC Networks, the remote gateway & a /29, SiteB just has the remote gateway, Site C will just be a /27. The tunnels that use the remote gateway are actually used for ingress traffic from Sites.
Thanks
On Wed, Jun 10, 2009 at 1:17 PM, Todd Simons<tsimons@delphi-tech.com> wrote:
> Hello All
>
> We are using the Cisco AnyConnect Client for our remote user's access, with
> a global tunnel. Internally we have a few corporate locations that are
> linked by L2L tunnels (lets call it Site A, Site B and Site C). The Remote
> Access clients who connect to Site A can't seem to use the L2L to Site B and
> Site C.
>
> Has anyone seen a document explaining how to do this?
>
> Todd Simons
>
> Lead IT Engineer
>
> TSimons@Delphi-Tech.com
>
>
>
> Delphi Technology, Inc.
>
> 303 George Street, 5th Floor
>
> New Brunswick, NJ 08901
>
> www.delphi-tech.com
>
>
>
> Experience, Innovation... Results.
>
> ## Scanned by Delphi Technology, Inc. ##
>
> CONFIDENTIALITY NOTICE
> This e-mail message from Delphi Technology, Inc. is intended only for the
> individual or entity to which it is addressed. This e-mail may contain
> information that is privileged, confidential and exempt from disclosure
> under applicable law. If you are not the intended recipient, you are hereby
> notified that any dissemination, distribution or copying of this
> communication is strictly prohibited. If you received this e-mail by
> accident, please notify the sender immediately and destroy this e-mail and
> all copies of it.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
## Scanned by Delphi Technology, Inc. ##
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asaRA-L2L.txt
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090611/1c937813/attachment.txt>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 38, Issue 4
***********************************************
No comments:
Post a Comment