Solved

Allow AnyConnect VPN to access specific VLAN

Posted on 2014-10-01
7
720 Views
Last Modified: 2014-10-25
Hi,

I have a Cisco ASAVersion 9.1(5) and I have recently configured a VLAN for our R&D department.

The VLAN (40) using 10.10.40.0/24 is a separate VLAN from our normal VLAN because we had broadcast issues and the VLAN has access to internet via the ASA. In a normal situation R&D employees should access the R&D VLAN via an untagged port at the ProCurve switch or via SSID/WIFI for R&D.

Last week I got the request if could give a supplier access to that VLAN using our AnyConnect profile access page.
I said I could, but only have gotten to the point that it could access our normal Inside interface and devices (192.168.0.0/24) and not the VLAN.

I tried fixing it with NAT0 static rules and via vpn group policy, but haven't succeeded yet.

I am eager to know what I did wrong and how it can be fixed.

Regards,
Rick

asaconfig02102014.txt
0
Comment
Question by:Rick
  • 4
  • 3
7 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
Add this NAT statment

nat (R&D,OUTSIDE) source static LAN_R&D LAN_R&D destination static VPN_R&D_HMNL VPN_R&D_HMNL no-proxy-arp route-lookup

 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN_ACL_R&D

This seems odd and you should check if you want this split tunnel config. I suggest you change this to an standard ACL with the R&D network in and the policy to tunnelspecified.
0
 

Author Comment

by:Rick
Comment Utility
Hoi Henk,

I added the NAT rule you specified and also checked the split tunneling (I already had in place for the R&D profile), but it doesn't work. I also tried to change exclude to include at split tunnel, but without any difference.

Does my VPN_R&D_ACL maybe  have to many entries?

Below are the results from my iMac at home with VPN.

--- 10.10.40.85 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
iMac-van-Rick:~ Rick$ ping 192.168.0.15
PING 192.168.0.15 (192.168.0.15): 56 data bytes
64 bytes from 192.168.0.15: icmp_seq=0 ttl=128 time=10.944 ms
64 bytes from 192.168.0.15: icmp_seq=1 ttl=128 time=9.758 ms
^C
--- 192.168.0.15 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.758/10.351/10.944/0.593 ms
iMac-van-Rick:~ Rick$
0
 

Author Comment

by:Rick
Comment Utility
When i log all session messages /acl's, the ip from and ip to address are not visible as well...

I changed to standard acl as you requested as well, but didnt help:

access-list VPN_splittunnel_R&D standard permit 10.10.40.0 255.255.255.0

group-policy "GroupPolicy_R&D Partners" attributes
 banner value Hoi
 wins-server none
 dns-server none
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN_splittunnel_R&D
 default-domain value ****.com
 vlan 40
 webvpn
  anyconnect profiles value R&D_Partners_client_profile type user
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
split-tunnel-policy excludespecified <-- THIS IS the problem. You should use  split-tunnel-policy tunnelspecified with the standard ACL with the R&D network in it.
0
 

Accepted Solution

by:
Rick earned 0 total points
Comment Utility
Hi Henk,

I was able to get the traffic traversing to the right part of the network now, thanks..
But I haven't solved all of my problems yet so it seemed afterwards..

Somehow working with 2 ldap-attributes, it won't select "Group_Policy R&D Partners".
I enabled the banner in the group policy to see which profile is assigned.. and when I use "debug ldap 255" al things show the right group policy is assigned to the right ldap attribute.. but eventhough its selecting the 1st attribute map.

After deleting all group policies and so and retrying it seems that it is picking the 1st ldap attribute..

Do you know a solution to that as well?

Thanks
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
Two questions at the same time is not EE policy, but that the heck,

http://www.tunnelsup.com/cisco-asa-vpn-authorize-user-based-on-ldap-group

I think you will find this link interesting :).

(Hint, you are missing the ldap attribute-map)
ldap attribute-map MAP-ANYCONNECT-LOGIN
  map-name  memberOf Group-Policy
  map-value memberOf CN=vpn_users,OU=groups,OU=chi,DC=example,DC=com GRPPOL-RA-VPN

Open in new window

0
 

Author Closing Comment

by:Rick
Comment Utility
Thnx for your help.

Haven't yet figured ou the ldap-attribute-map, but will do so later in another case.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now