Allow AnyConnect VPN to access specific VLAN

Hi,

I have a Cisco ASAVersion 9.1(5) and I have recently configured a VLAN for our R&D department.

The VLAN (40) using 10.10.40.0/24 is a separate VLAN from our normal VLAN because we had broadcast issues and the VLAN has access to internet via the ASA. In a normal situation R&D employees should access the R&D VLAN via an untagged port at the ProCurve switch or via SSID/WIFI for R&D.

Last week I got the request if could give a supplier access to that VLAN using our AnyConnect profile access page.
I said I could, but only have gotten to the point that it could access our normal Inside interface and devices (192.168.0.0/24) and not the VLAN.

I tried fixing it with NAT0 static rules and via vpn group policy, but haven't succeeded yet.

I am eager to know what I did wrong and how it can be fixed.

Regards,
Rick

asaconfig02102014.txt
RickAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henk van AchterbergSr. Technical ConsultantCommented:
Add this NAT statment

nat (R&D,OUTSIDE) source static LAN_R&D LAN_R&D destination static VPN_R&D_HMNL VPN_R&D_HMNL no-proxy-arp route-lookup

 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN_ACL_R&D

This seems odd and you should check if you want this split tunnel config. I suggest you change this to an standard ACL with the R&D network in and the policy to tunnelspecified.
0
RickAuthor Commented:
Hoi Henk,

I added the NAT rule you specified and also checked the split tunneling (I already had in place for the R&D profile), but it doesn't work. I also tried to change exclude to include at split tunnel, but without any difference.

Does my VPN_R&D_ACL maybe  have to many entries?

Below are the results from my iMac at home with VPN.

--- 10.10.40.85 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
iMac-van-Rick:~ Rick$ ping 192.168.0.15
PING 192.168.0.15 (192.168.0.15): 56 data bytes
64 bytes from 192.168.0.15: icmp_seq=0 ttl=128 time=10.944 ms
64 bytes from 192.168.0.15: icmp_seq=1 ttl=128 time=9.758 ms
^C
--- 192.168.0.15 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.758/10.351/10.944/0.593 ms
iMac-van-Rick:~ Rick$
0
RickAuthor Commented:
When i log all session messages /acl's, the ip from and ip to address are not visible as well...

I changed to standard acl as you requested as well, but didnt help:

access-list VPN_splittunnel_R&D standard permit 10.10.40.0 255.255.255.0

group-policy "GroupPolicy_R&D Partners" attributes
 banner value Hoi
 wins-server none
 dns-server none
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN_splittunnel_R&D
 default-domain value ****.com
 vlan 40
 webvpn
  anyconnect profiles value R&D_Partners_client_profile type user
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Henk van AchterbergSr. Technical ConsultantCommented:
split-tunnel-policy excludespecified <-- THIS IS the problem. You should use  split-tunnel-policy tunnelspecified with the standard ACL with the R&D network in it.
0
RickAuthor Commented:
Hi Henk,

I was able to get the traffic traversing to the right part of the network now, thanks..
But I haven't solved all of my problems yet so it seemed afterwards..

Somehow working with 2 ldap-attributes, it won't select "Group_Policy R&D Partners".
I enabled the banner in the group policy to see which profile is assigned.. and when I use "debug ldap 255" al things show the right group policy is assigned to the right ldap attribute.. but eventhough its selecting the 1st attribute map.

After deleting all group policies and so and retrying it seems that it is picking the 1st ldap attribute..

Do you know a solution to that as well?

Thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Henk van AchterbergSr. Technical ConsultantCommented:
Two questions at the same time is not EE policy, but that the heck,

http://www.tunnelsup.com/cisco-asa-vpn-authorize-user-based-on-ldap-group

I think you will find this link interesting :).

(Hint, you are missing the ldap attribute-map)
ldap attribute-map MAP-ANYCONNECT-LOGIN
  map-name  memberOf Group-Policy
  map-value memberOf CN=vpn_users,OU=groups,OU=chi,DC=example,DC=com GRPPOL-RA-VPN

Open in new window

0
RickAuthor Commented:
Thnx for your help.

Haven't yet figured ou the ldap-attribute-map, but will do so later in another case.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.