ASA Anyconnect with PBR

Hello

We have a customer who upgraded his ASA to version 9.5.1 and now wants to use ACB for users connected by Anyconnect.
Today, ASA is configured with an ACL filter which local networks is only allowed in the Tunnel.
We tried to use the ACB in order to put all traffic through the Tunnel and the next another device on the side break LAN.

AnyConnect Network: 172.18.18.0/24
LAN network: 172.18.16.0/24
Default to use for the anyconnect customer gateway: 172.18.16.202

It was created an ACL standard for traffic of correspondence 172.18.18.0, a road map which next-hop is 172.18.16.202 and applied to the external interface.

Gateway 172.18.16.202 knows that net 172.18.18.0/24 is on ASA (static route)

It is my understanding no? I have configured as indicated above, but did not work.

Kind regards

Regis

Hi Regis,

If you want to send all Anyconnect traffic to a specific host on the LAN site (next hop), you can use the 'tunnel route' function instead of the ACB.

Check more information below:

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/112182-SSL-TDG-config-example-00.html

It may be useful

-Randy-

Tags: Cisco Security

Similar Questions

  • ASA - Anyconnect is not activated afer reload.

    Hello

    every time my ASA is reloaded anyconnect is not enabled.

    It must be manually enabled.

    I have asa 5510 with version 8.4.2.

    So you say that after you reload, you have a different configuration then before?

    You can make a file compare configs before and after the reboot and see which line is missing, if the case?

  • AnyConnect with hostscan configuration

    Hello Experts

    If one please send me the details of configuration for "Anyconnect with hostscan" firewall cisco-5545-x series.

    I really appreciate your response as soon as possible.

    This is fine in the section on "Configuration AnyConnect Hostscan" ASA Configuration Guide.

    Also, please see the section AnyConnect Admin Guide 'host Scan and Posture Module configuration'.

  • AnyConnect with IKEv2

    Hello world

    I have config Anyconnect with IKEv2 only no web launch and SSL is also turned off.

    I downloaded the anyconnect - anyconnect-victory - 3.1.05160 - k9.pkg on PC.

    tried to connect but no luck.

    Is that it is designed to work this way?

    Concerning

    Mahesh

    Yes - it's a way to do it.

    Profile .xml is a simple file (but critical) very small, you can copy manually the ASA to your PC as well as through the automatic method, which, as noted, requires customer services via the SSL on the SAA. If you have the correct .xml file (should specify transport IPsec) and AnyConnect on the PC client software, you don't need the ASA via SSL customer service.

    If you make the manual method, any future update profile must also be distributed manually.

  • Anyconnect with IPSEC IKeV2 certificate requirement

    Hello world

    We are implementing Anyconnect with IKEv2.

    Need to know if I can do this without a valid CA certificate?

    Will this work with ASA self-signed certificate?

    Concerning

    Mahesh

    Mahesh,

    SSL is used only for a few initial steps ("customer service" - such as downloading AnyConnect package and profile.xml file) in a remote IPsec IKEv2 VPN access.

    As with the more familiar SSL VPN, you can use a self-signed certificate on the SAA in conjunction with IKEv2.

    Your customers will have to or click beyond the warning of the untrusted server every time or else install the certificate self-signed SAA in their store of trusted CA root. with a certificate issued by the CA public they can't do either of those things.

    There are a few excellent documents elsewhere here on CSC that you reference in your deployment. Here are the links to them:

    Reference #1

    Reference #2

  • ASA, Anyconnect and DMZ

    Hello

    I had a little problem with my config to the asa.

    The asa is set up to allow anyconnect with local users.

    but after I added the NAT statement following ACL on the outside, I can not connect with Anyconnect.

    NAT (DMZ, OUTSIDE) interface static source HOST_DMZ-NAS-FTP

    OUTSIDE_access_in list extended access permitted tcp HOST_DMZ-NAS-FTP eq ftp objects

    How to make it work again?

    Hello

    You have a dominant NAT configuration.

    We should see a Phase of Nations United-NAT in the beginning before any other Phase of the ACCESS-LIST.

    You probably have a dynamic configuration PAT for the demilitarized zone in Section 1 Manual NAT which is at the origin of the problems

    Because you cannot share the configuration that I can not really anything else that try to give an alternative configuration, which should make it work but it is not the ideal configuration for your dynamic rule PAT shouldn't be to such priority anyway. That's if I'm wrong in my guess on the problem above.

    Remove NAT Auto / network object NAT I suggested

    network of the HOST_DMZ-NAS-FTP object

    no nat (DMZ, OUTSIDE) interface static 21 21 tcp service

    Note that we leave the 'host' under the 'object' statement yet. Only remove us the "nat" command.

    Then, you must add these

    Service FTP object

    tcp source eq 21 service

    service interface NAT (DMZ, outside) 1 static source HOST_DMZ-NAS-FTP FTP FTP

    Then try again.

    -Jouni

  • AnyConnect with certificate and without MS Certificate Server

    Hello community.

    Is it possible to use anyconnect with certificate, but without a MS. Certificate Server
    I think a certificate installed on the asa and the certificate installed on the laptop or mobile client-side. If the certificate of the client is able to connect.
    I heard that if you use the certificate for anyconnect that the asa do not ask for login credentials, the anyconnect can be connected without credentials. I don't like this behavior.
    Is it possible to use the certificate and the asa is still to ask credentials?

    Thanks in advance

    Sent by Cisco Support technique iPhone App

    Yes to both:
    -3rd party CA to issue certificates for the ASA and customers
    -You can use the authentication of the hybrid to use certificates and passwords (one-time or static)

    Sent by Cisco Support technique Android app

  • CS-mars does support ASA 5500 with version 8.4?

    Dear all,

    My mars is not able to discover devices Cisco ASA cisco ASA 5550 with last fact IOS is compatible with the CS March...

    Thanks in advance...

    Selva

    After some googleing I found that it is not supported...

    For more information, see link below

    http://www.Cisco.com/en/us/docs/security/security_management/CS-Mars/6.1/compatibility/local_controller/dtlc6x.html#wp85319

    HTH,

    GKP

  • AnyConnect with ISA500

    To use the VPN with the ISA500 y at - it no extra cost for the Anyconnect client or any license required?

    Hello Alan,.

    The ISA500 series comes with a 1 or 3 years security services license. This license allows you to use AnyConnect with ISA. No additional cost to you, as all the ISA500 are sold with this license. Don't forget, if you buy the product of 1 year, you will have to renew the license in a year.

    TIP: the ISA has VPN client available on the quick boot disk, so make sure you don't throw it out.

  • ASA EzVPN with several remote subnets

    Hello world

    I'll have the challenge of EasyVPN installation based on ASA 5520, and ASA 5505 (with the ASA5505 as the vpnclient) with several networks behind the ASA 5505.

    Access by the network directly connected on the 5505 to the central site works very well.

    But the second network segment (which is behind a router on the directly connected network) cannot connect to the central site.

    I guess I need to specify that some sort of acl's to be able to do that.

    BTW we do not use tunneling split, because all traffic moves through the tunnel (no local internet access).

    The layout looks like this

    (--LAN--)-5520---5505-(--LAN1--)-ROUTER-(--LAN2--)-(WAN)-

    LAN1 and LAN connection works great through the EZVPN Tunnel.

    LAN2 connection to the LAN does not work through the Tunnel of EZVPN.

    Here is the configuration used so far (outside the normal SHEEP, groups of objects and stuff ISAKMP crypto):

    Client:

    vpnclient Server 10.x.x.x

    extension-mode network mode vpnclient

    EzVPN vpngroup vpnclient password *.

    vpnclient username user1 password *.

    vpnclient enable

    Crypto ipsec df - bit clear-df outdoors

    Server:

    internal EzVPN group strategy

    Group Policy attributes EzVPN

    allow to NEM

    allow password-storage

    tunnel-group EzVPN type ipsec-ra

    General characteristics of tunnel-group EzVPN

    Group Policy - by default-EzVPN

    IPSec-attributes tunnel-group EzVPN

    pre-shared key *.

    user user1 password *.

    I hope you can help

    Best regards

    Jarle

    Unfortunately, it is not supported on the platform of the SAA. With EasyVPN on the SAA, only the connected networks can be advertised. To accomplish what you want to do, you need to configure a static IPSec tunnel and announce local networks via ACL interesting traffic. You can also use an IOS device that does not have the capabilities of "multiple subnet" with EasyVPN.

    http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html#wp1098057

  • ASA 5510 with AIP SSM-10

    I'm new to network administration and our company has an ASA 5510 with and map AIP SSM-10. On the interface ASA when I try to load Intrusion detection, he said the following:

    "For IPS 5.1 (1) S205.0, use the link below to access the IPS Device Manager." (If the SSM management IP address or the port is translated, replace them accordingly in the below URL). IPS 6.0.1 or above will be fully interated ASDM. »

    Unfortunately, no URL is displayed below this message and there is no documentation in the company that owns this configuration. Is there a way to reset the AIP without resetting the ASA? How can I find the IP address to be able to configure it?

    The ASA CLI, you will be able to check the IP address of the AIP module:

    view the details of the module

    It will show you the ip address of mgmt of the module, and you can https to the IP address of your PC.

  • AnyConnect with several profiles of connection and menu drop-down

    Hello world

    I configured anyconnect with two profiles of connection and group policies.

    Connection profiles and group policy have the same host name say xyz.com.

    need to know which configuration should I do so that when I connect it should show

    under option group choose the connection profile from the menu drop-down?

    Concerning

    Mahesh

    Mahesh,

    When you build the connection on the SAA profile there is a section in the Advanced section of "group Alias/group URL. Complete on the names you want and enable them. You should then see the two selections on the AnyConnect profile drop-down list.

    In the cli, it looks something like:

    tunnel-group Group1 webvpn-attributes
    enable-alias group Group1

    tunnel-group group2 webvpn-attributes
    Group-alias group2 enable

  • Unable to connect to ASA 5505 with AnyConnect after upgrade to 8.2

    I just bought a license of VPN AnyConnect Essentials for my ASA 5505.  I had to spend to 8.2 ASA.

    Now that I updated and installed the license, the AnyConnect client will connect is no longer.  It gives the following error: "failed to process the response.

    You can provide any help would be appreciated.  I am pleased to provide you with the configuration information that might be useful if you can provide the CLI commands, you want that I run.

    Looks like he doesn't like THEM too, you can change the encryption algorithm to 'not' include in your strategy:

    3des-sha1-aes128-sha1 sha1 aes256 encryption SSL

    In general is not very safe anyway, and the choice of encryption above will provide you with the best encryption strategy.

    Hope that helps.

  • CERT ID on ASA change with impact session AnyConnect?

    Hello all - I should probably know this answer, however, I'm not 100%.

    If I change the cert ID (trust point) of the external interface to use a "most recent" certificate, although there are client AnyConnect connected, the session will end?

    I believe that the answer is Yes, since the keys will change.

    Any help is appreciated!

    Thank you!

    Hello

    He not disconnect users, because the main purpose of the use of cert in the first place other than identity is to distribute safe symmetric session key. Once this is done, the work of cert is done.

    I did a quick test on my end.

    I have connected a customer to the ASA using certificates. Here are the results:

    ASA-32-25 # sh run all the ssl
    SSL server-version everything
    client SSL version all
    SSL encryption, 3des-sha1-aes128-sha1 aes256-sha1 md5 - rc4-rc4-sha1
    Trust SSL SSL outdoors<-- this="" is="" the="" certificate="" applied="" on="" outside="">
    SSL certificate authentication CAF-timeout 2

    Now, I have connected my client and he got connected successfully:

    ASA-32-25 (config) # poster not vpn - its

    Session type: AnyConnect

    Username: anyconnect Index: 50
    Public IP address 192.168.10.2 assigned IP:: x.x.x.x
    Protocol: AnyConnect-Parent-Tunnel SSL
    License: AnyConnect Premium
    Encryption: AnyConnect-Parent: (1) no SSL Tunnel: 3DES (1)
    Hash: AnyConnect-Parent: (1) no SSL Tunnel: SHA1 (1)
    TX Bytes: 11488 bytes Rx: 1351
    Group Policy: Group GroupPolicy_Test Tunnel: Test
    Connect time: 12:24:15 EDT Thursday, April 17, 2014
    Time: 0 h: 00 m: 04 s
    Inactivity: 0 h: 00 m: 00s
    Result of the NAC: unknown
    Map VLANS: VLAN n/a: no

    I removed then, the certificate for the external interface.

    ASA-32-25 (config) # points trust without ssl SSL outdoors

    And when I checked the status of the connected client, I saw that he was still logged:

    ASA-32-25 (config) # poster not vpn - its

    Session type: AnyConnect

    Username: anyconnect Index: 50
    Public IP address 192.168.10.2 assigned IP:: x.x.x.x
    Protocol: AnyConnect-Parent-Tunnel SSL
    License: AnyConnect Premium
    Encryption: AnyConnect-Parent: (1) no SSL Tunnel: 3DES (1)
    Hash: AnyConnect-Parent: (1) no SSL Tunnel: SHA1 (1)
    TX Bytes: 11488 bytes Rx: 1351
    Group Policy: Group GroupPolicy_Test Tunnel: Test
    Connect time: 12:24:15 EDT Thursday, April 17, 2014
    Time: 0 h: 00 m: 12s
    Inactivity: 0 h: 00 m: 00s
    Result of the NAC: unknown
    Map VLANS: VLAN n/a: no

    The conclusion therefore, is that users will not be cut if you change the certificate on the external interface.

    Hope that answers your question.

    Vishnu

  • Question of AnyConnect with Cisco ASA 5505

    I keep hitting my head against the wall on this one. Whenever I try to connect to the AnyConnect SSL VPN I get the following error

    "No address available for an SVC connection.

    Up and down, I checked that my VPN pool be present and assigned. I have removed/re-added it so many times. I use the SMDA to implement through the wizard. Any help please?

    Here is my config

    http://pastebin.com/ABvSpzUq

    It seems that you are falling into default group policy.  You must activate the tunnel-group-list under the webvpn that allows users to select the group to which they connect, or set the attributes of the user to force the user into the correct connection profile...

    activation of tunnel-group-list

    WebVPN

    tunnel-group-list activate

    Configuration of the user attributes:

    Chris mXB.dKavHoEa0gaC of encrypted password username

    username Chris attributes

    VPN-group-policy HBNS_AnyConnect

    value of group-lock HBNS_AnyConnect

    type of remote access service

    --

    Please do not forget to choose a good response and the rate

Maybe you are looking for