Solved

Allow AnyConnect VPN to access specific VLAN

Posted on 2014-10-01
7
804 Views
Last Modified: 2014-10-25
Hi,

I have a Cisco ASAVersion 9.1(5) and I have recently configured a VLAN for our R&D department.

The VLAN (40) using 10.10.40.0/24 is a separate VLAN from our normal VLAN because we had broadcast issues and the VLAN has access to internet via the ASA. In a normal situation R&D employees should access the R&D VLAN via an untagged port at the ProCurve switch or via SSID/WIFI for R&D.

Last week I got the request if could give a supplier access to that VLAN using our AnyConnect profile access page.
I said I could, but only have gotten to the point that it could access our normal Inside interface and devices (192.168.0.0/24) and not the VLAN.

I tried fixing it with NAT0 static rules and via vpn group policy, but haven't succeeded yet.

I am eager to know what I did wrong and how it can be fixed.

Regards,
Rick

asaconfig02102014.txt
0
Comment
Question by:Rick
  • 4
  • 3
7 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40358752
Add this NAT statment

nat (R&D,OUTSIDE) source static LAN_R&D LAN_R&D destination static VPN_R&D_HMNL VPN_R&D_HMNL no-proxy-arp route-lookup

 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN_ACL_R&D

This seems odd and you should check if you want this split tunnel config. I suggest you change this to an standard ACL with the R&D network in and the policy to tunnelspecified.
0
 

Author Comment

by:Rick
ID: 40358890
Hoi Henk,

I added the NAT rule you specified and also checked the split tunneling (I already had in place for the R&D profile), but it doesn't work. I also tried to change exclude to include at split tunnel, but without any difference.

Does my VPN_R&D_ACL maybe  have to many entries?

Below are the results from my iMac at home with VPN.

--- 10.10.40.85 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
iMac-van-Rick:~ Rick$ ping 192.168.0.15
PING 192.168.0.15 (192.168.0.15): 56 data bytes
64 bytes from 192.168.0.15: icmp_seq=0 ttl=128 time=10.944 ms
64 bytes from 192.168.0.15: icmp_seq=1 ttl=128 time=9.758 ms
^C
--- 192.168.0.15 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.758/10.351/10.944/0.593 ms
iMac-van-Rick:~ Rick$
0
 

Author Comment

by:Rick
ID: 40358913
When i log all session messages /acl's, the ip from and ip to address are not visible as well...

I changed to standard acl as you requested as well, but didnt help:

access-list VPN_splittunnel_R&D standard permit 10.10.40.0 255.255.255.0

group-policy "GroupPolicy_R&D Partners" attributes
 banner value Hoi
 wins-server none
 dns-server none
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN_splittunnel_R&D
 default-domain value ****.com
 vlan 40
 webvpn
  anyconnect profiles value R&D_Partners_client_profile type user
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40358928
split-tunnel-policy excludespecified <-- THIS IS the problem. You should use  split-tunnel-policy tunnelspecified with the standard ACL with the R&D network in it.
0
 

Accepted Solution

by:
Rick earned 0 total points
ID: 40370706
Hi Henk,

I was able to get the traffic traversing to the right part of the network now, thanks..
But I haven't solved all of my problems yet so it seemed afterwards..

Somehow working with 2 ldap-attributes, it won't select "Group_Policy R&D Partners".
I enabled the banner in the group policy to see which profile is assigned.. and when I use "debug ldap 255" al things show the right group policy is assigned to the right ldap attribute.. but eventhough its selecting the 1st attribute map.

After deleting all group policies and so and retrying it seems that it is picking the 1st ldap attribute..

Do you know a solution to that as well?

Thanks
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40372309
Two questions at the same time is not EE policy, but that the heck,

http://www.tunnelsup.com/cisco-asa-vpn-authorize-user-based-on-ldap-group

I think you will find this link interesting :).

(Hint, you are missing the ldap attribute-map)
ldap attribute-map MAP-ANYCONNECT-LOGIN
  map-name  memberOf Group-Policy
  map-value memberOf CN=vpn_users,OU=groups,OU=chi,DC=example,DC=com GRPPOL-RA-VPN

Open in new window

0
 

Author Closing Comment

by:Rick
ID: 40403751
Thnx for your help.

Haven't yet figured ou the ldap-attribute-map, but will do so later in another case.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question