Solved

Allow AnyConnect VPN to access specific VLAN

Posted on 2014-10-01
7
750 Views
Last Modified: 2014-10-25
Hi,

I have a Cisco ASAVersion 9.1(5) and I have recently configured a VLAN for our R&D department.

The VLAN (40) using 10.10.40.0/24 is a separate VLAN from our normal VLAN because we had broadcast issues and the VLAN has access to internet via the ASA. In a normal situation R&D employees should access the R&D VLAN via an untagged port at the ProCurve switch or via SSID/WIFI for R&D.

Last week I got the request if could give a supplier access to that VLAN using our AnyConnect profile access page.
I said I could, but only have gotten to the point that it could access our normal Inside interface and devices (192.168.0.0/24) and not the VLAN.

I tried fixing it with NAT0 static rules and via vpn group policy, but haven't succeeded yet.

I am eager to know what I did wrong and how it can be fixed.

Regards,
Rick

asaconfig02102014.txt
0
Comment
Question by:Rick
  • 4
  • 3
7 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40358752
Add this NAT statment

nat (R&D,OUTSIDE) source static LAN_R&D LAN_R&D destination static VPN_R&D_HMNL VPN_R&D_HMNL no-proxy-arp route-lookup

 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN_ACL_R&D

This seems odd and you should check if you want this split tunnel config. I suggest you change this to an standard ACL with the R&D network in and the policy to tunnelspecified.
0
 

Author Comment

by:Rick
ID: 40358890
Hoi Henk,

I added the NAT rule you specified and also checked the split tunneling (I already had in place for the R&D profile), but it doesn't work. I also tried to change exclude to include at split tunnel, but without any difference.

Does my VPN_R&D_ACL maybe  have to many entries?

Below are the results from my iMac at home with VPN.

--- 10.10.40.85 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
iMac-van-Rick:~ Rick$ ping 192.168.0.15
PING 192.168.0.15 (192.168.0.15): 56 data bytes
64 bytes from 192.168.0.15: icmp_seq=0 ttl=128 time=10.944 ms
64 bytes from 192.168.0.15: icmp_seq=1 ttl=128 time=9.758 ms
^C
--- 192.168.0.15 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.758/10.351/10.944/0.593 ms
iMac-van-Rick:~ Rick$
0
 

Author Comment

by:Rick
ID: 40358913
When i log all session messages /acl's, the ip from and ip to address are not visible as well...

I changed to standard acl as you requested as well, but didnt help:

access-list VPN_splittunnel_R&D standard permit 10.10.40.0 255.255.255.0

group-policy "GroupPolicy_R&D Partners" attributes
 banner value Hoi
 wins-server none
 dns-server none
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy excludespecified
 split-tunnel-network-list value VPN_splittunnel_R&D
 default-domain value ****.com
 vlan 40
 webvpn
  anyconnect profiles value R&D_Partners_client_profile type user
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40358928
split-tunnel-policy excludespecified <-- THIS IS the problem. You should use  split-tunnel-policy tunnelspecified with the standard ACL with the R&D network in it.
0
 

Accepted Solution

by:
Rick earned 0 total points
ID: 40370706
Hi Henk,

I was able to get the traffic traversing to the right part of the network now, thanks..
But I haven't solved all of my problems yet so it seemed afterwards..

Somehow working with 2 ldap-attributes, it won't select "Group_Policy R&D Partners".
I enabled the banner in the group policy to see which profile is assigned.. and when I use "debug ldap 255" al things show the right group policy is assigned to the right ldap attribute.. but eventhough its selecting the 1st attribute map.

After deleting all group policies and so and retrying it seems that it is picking the 1st ldap attribute..

Do you know a solution to that as well?

Thanks
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40372309
Two questions at the same time is not EE policy, but that the heck,

http://www.tunnelsup.com/cisco-asa-vpn-authorize-user-based-on-ldap-group

I think you will find this link interesting :).

(Hint, you are missing the ldap attribute-map)
ldap attribute-map MAP-ANYCONNECT-LOGIN
  map-name  memberOf Group-Policy
  map-value memberOf CN=vpn_users,OU=groups,OU=chi,DC=example,DC=com GRPPOL-RA-VPN

Open in new window

0
 

Author Closing Comment

by:Rick
ID: 40403751
Thnx for your help.

Haven't yet figured ou the ldap-attribute-map, but will do so later in another case.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now