Hello Pavan
As stated in the lesson:
By default all traffic will be sent through the tunnel once the remote user is connected.
In order to achieve what you need, simply don’t include the split-tunnel-policy and split-tunnel-network-list configuration.
I hope this has been helpful!
Laz
Hello, I have an IPSEC VPN tunnel from my ASA to a Juniper Firewall. Through a NAT Rule I was able to configure Anyconnect clients that come into the ASA to then hairpin and go through the IPSEC tunnel to access a website that is on the local lan of the Juniper. I would like to accomplish the same task but for CLIENTLESS SSL VPN users. I have created an HTTP bookmark with the website that sits on the Juniper Local Lan but cannot figure out how to make it go through the IPSEC Tunnel. HELP!
Hello Constantine
There are a few things that you may want to check to begin your troubleshooting process for this issue. First of all, make sure you are using the same-security-traffic permit intra-interface command. This command allows traffic to enter and exit the same interface, which is normally not allowed.
Secondly, in your description, I’m not sure hairpinning is actually necessary. Are you sure you’re using the right terminology? The following lesson is an example of hairpinning.
In your case, it looks like a site-to-site communication.
Finally, make sure that the ACL for the IPSec site-to-site tunnel permits the subnet of the SSL VPN users.
These are just some thoughts that will hopefully help you in your troubleshooting. Let us know how you get along!
I hope this has been helpful!
Laz
Thank You for the reply.
I do have the same-security-traffic permit intra-interface enabled on the ASA and I have added the Outside IP address of the ASA to the Crypto ACL on both the ASA and the Juniper. I think im just missing how to get traffic going thru the tunnel. Do i have to create a NAT rule for the ASA outside interface or is this much simpler and im just over thinking it?
Thank You!
Hello Constantine
I believe it may be simpler than the way you are thinking about it. If I understood correctly, you are looking at a site-to-site VPN. You don’t need NAT anywhere in such a configuration, you would only need it if you were indeed hairpinning as mentioned in the previous post.
Remember, if you are using NAT on the ASA for your other traffic, say to the Internet, then you may need a NAT rule so that traffic going through the VPN DOESN’T get NATted. Also, make sure the ACL for the PISec tunnel permits the subnet of the SSL VPN users.
If you’re still having trouble, it would be helpful if you shared some more details of your configuration.
I hope this has been helpful!
Laz
Thanks so much for the reply. Here is what my current set up is.
ALL Clientless SSL VPN users come in from the 192.168.1.X network and they are connecting to the ASA on 192.168.1.100. Private spaces because its a lab environment. On the ASA the outside Interface (192.168.1.100) is also being used to establish a site to site tunnel with a Juniper Firewall (192.168.1.240). I have built an IIS server with a test page that resides on the 10.10.10.x network. What I would like to do is understand/get working is, When a clientless SSL users connects to the 1292.168.1.100 via a web browser, they get the Cisco Clientless SSL VPN page that has an http bookmark pointing to the 10.10.10.x IIS server test web page, how do I make that work. I think I am having a difficult time with understanding how the clientless SSL VPN traffic works once connected to attempt to make it traverse the IPSEC tunnel. Please let me know if that doesnt make sense or if you need additional details such as the ASA or juniper config.
Thank You!!
Hello Constantine
Thanks for the clarification. Just one thing that’s not clear. Where is the 10.10.10.X network? I suspect that it is somewhere behind the Juniper device. If this is the case, can you confirm?
If that is indeed what you would like to do, then that means that SSL clients are to connect to the ASA and then be routed out of the same interface via the site-to-site tunnel to reach your test page on your web server, which is behind the Juniper device.
Let me know if that’s correct so we can take a look at it technically…
Thanks!
Laz
Good Evening,
Sorry for the late reply. You are correct. The 10.10.10.x network is the local network behind the juniper firewall.
Thanks so much.
Constantine
Hello Constantine
This does seem to be failing due to some security feature of the ASA. Because your arrangement is quite specialized, I would suggest using some of ASA’s packet drop troubleshooting features to see where the packets are being dropped and for what reason. Take a look at this lesson which will help you to set that up.
I suggest you start with using the Packet Tracer feature. This will allow you to see what actions the ASA applies to a packet and why. Once you do that you should be in a position to understand the reasons for the dropped packets, and how to resolve the issue.
Feel free to share your results with us so that we can continue to help you in the troubleshooting process.
I hope this has been helpful!
Laz
Laz,
I am trying to understand CISCO ASA routes creation Process .
Stubled upon the following Statement . My Question is How 3 gateways can be configured on Single Interface ?
“You can define up to three equal cost routes to the same destination per interface. Equal-cost multi-path (ECMP) is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses.”
Hello Surendra
In this particular case, we are looking at the ASA’s routing capabilities. The statement is saying that you can create up to three static routes to the same destination with a different next-hop IP. You can have multiple next-hop IPs that are reachable from the same interface, assuming you have multiple routers connected to the network of a particular interface of the ASA.
The result will be Equal-Cost Multi-Path routing to that destination. But ECMP is not achievable across multiple interfaces, it can only be achieved via a single interface.
An example of multiple equal-cost static routes, taken from the document you shared in your post, can be seen below:
ciscoasa(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1
ciscoasa(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2
ciscoasa(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3
Notice how all next-hop IPs are on the same subnet and are reachable via the outside interface.
I hope this has been helpful!
Laz
Hi Lazaros, do we have lesson for this on how to setup like remote AD, thank you
Hello Dan
There is no lesson that incorporates Active Directory with Anyconnect. However, you can find configuration information in the following Cisco documentation, depending upon the scenario you are looking for:
I hope this has been helpful!
Laz
Hi! This is like my first or second post so If I’m in the wrong spot, please forgive me. If I wanted to ensure SHA-1 wasn’t used as the hashing algorithm for the clients when they connect, can I just change the cipher security level under Configuration → Remote Access VPN → Advanced → SSL Settings? I was going to change the Default Cipher Version to High but wasn’t sure if that will eliminate all weak SHA-1 from the suite. Thoughts?
Hello Joshua
The Cypher Security Level setting that you configure will give you a preconfigured set of ciphers that will be used. By choosing High, you include only AES-256 with SHA-2, so SHA-1 is indeed excluded. For more details on what each security level config delivers, take a look at this Cisco documentation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/asdm74/vpn/asdm-74-vpn-config/vpn-asdm-ssl.html#ID-2215-00000005
As seen in the documentation, you are also able to apply a custom configuration where you can specify one or more ciphers explicitly within the available string box. This gives you full control of which ciphers are allowed to be used.
I hope this has been helpful!
Laz
I hope this has been helpful!
Laz
Thank you very much Lazaros! This is exactly what I was looking for!
Hello Laz ,
is there is any way to prevent the User from establisching any connect Vpn Session , when it comes to untrusted Self-sign Certificate ?
Thanks in Advanced .
Hello Mohammad
This behavior is configured on the actual AnyConnect client itself. The “Block Untrusted Servers” setting can be used to disallow a user from connecting using a certificate that is invalid. However, the user may be able to change the setting and successfully connect. This setting is enabled by default.
Another option is to enable the Strict Certificate Trust feature. When enabled, AnyConnect disallows any certificate that it cannot verify. Instead of prompting the user to accept such certificates, the client simply fails to connect.
More info on all of these can be found at the following Cisco documentation:
You can ensure that the strict certificate trust is set by issuing the appropriate local policy preferences using the AnyConnect profile editor. Setting the strict certificate trust policy setting to true, ensures the client is correctly configured.
Take a look at the following for details on how to set up such policies using the AnyConnect Profile Editor.
I hope this has been helpful!
Laz
Hello René, I have a question. I’m trying to complete the lab on SSL VPNs and when I type in: anyconnect image flash: /anyconnect-win-2.5.2014-k9.pkg I get the “invalid input” error. It accepts the webvpn command but that is as far as it goes. I’ve verified that I have the required packages in the flash I’m running 8.2(1) code on an ASA that I bought on EBay. I’m at wits end and wondering if one of you guys could help. Thanks