Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Cisco AnyConnect Remote Access to L2L tunnels
From: "Todd Simons" <tsimons () delphi-tech com>
Date: Mon, 22 Jun 2009 20:52:44 -0400
Adding the dynamic NAT on the outside interface fixed it!  Thanks!

 

From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
Eric Gearhart
Sent: Friday, June 19, 2009 7:13 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels

 

On Sun, Jun 14, 2009 at 7:41 AM, Todd Simons <tsimons () delphi-tech com>
wrote:

        Eric-
        
        At this point I have this working via Hairpinning, my only
problem at
        this point is that RemoteAccess VPNs (which are a global vpn
setup)
        can't browse the internet or use external hosts that are not
part of my
        sites.
        
        ~Todd


Todd,

Sorry about the confusion... glad to hear you have things working.

Re: the remote access clients' Internet access... you can use split
tunnels to have clients connect but only your tunnel subnets are routed
over their tunnel connection... regular internet access would go through
the clients' ISP, not over the tunnel. Is that an option?

If that's not an option, I think that you would have to setup dynamic
NAT on your outside interface and setup NAT exceptions for your internal
subnets for the RA clients to have regular Internet but still hit the
tunnel correctly... Cisco sees remote VPN clients as incoming through
the outside interface (which is annoying.. I wish they'd just setup a
virtual tunnel interface on the ASA like they do on their router VPN
tunnels....)

I haven't set this up though so I'm shooting in the dark a bit on this
one... I have split tunnels setup for my work ASA VPN and it works quite
well

--
Eric 
http://nixwizard.net


## Scanned by Delphi Technology, Inc. ##
CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is 
addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender 
immediately and destroy this e-mail and all copies of it.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]