Adding New Networks to Cisco AnyConnect VPNs

KB ID 0001593

Problem

Note: To add new subnets to a traditional Site to Site VPN, see the following article instead;

Cisco ASA – Adding New Networks to Existing VPNs

I see this get asked in online forums A LOT. If you have an existing AnyConnect VPN setup, and then need to add another network how do you do it?

Well that depends on where the new network is, and how it’s entering the firewall, these diagrams can be either way round, but the new network will either be coming into the ASA on the same interface (i.e you’ve spun up a new network for phones, or a new department etc),  or the traffic will be coming into the ASA through a different interface, (like a DMZ, or partner network).

Option A: New Network is on another interface;

Option B: New Network is on existing (inside) interface;

Note: The process for adding the new network is the same for both, BUT depending on which interface the new traffic is coming in on, this will change your NAT command. 

Warning: For this process to work you must already have a setup and working AnyConnect deployment!

Solution

Option A: New Network is on a Different Interface

Tasks on ASA

  • Locate the NAT Exemption for the AnyConnect traffic, and add a new one on the SAME interface.
  • If using Split Tunneling add the new network to the Spit Tunnel ACL

Locate the Nat Exception (or NO NAT on old Cisco Money) that prevents the AnyConnect traffic form getting NATTED.

[box]

ASA-1(config)# show run nat 
nat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup 
!

[/box]

From the output above we can see that the Nat exemption for the existing traffic is highlighted, we simply need to add another one, for the new interface (which we will call dmz).

Note: I’m using any, yours might be using a specific object or object-group, if so, you will need to create new objects or object groups for the new network(s), for the next step, I’m sticking with any!

[box]

ASA-1# configure terminal
ASA-1(config)# nat (dmz,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

Now let’s see if we are using split tunnelling;

[box]

ASA-1# show run group-policy
group-policy DfltGrpPolicy attributes
 webvpn
  customization value Portal
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
 wins-server none
 dns-server value 192.168.1.10 192.168.1.11
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunneling
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value AnyConnect type user
  customization value Portal
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-filter value ACL_Filter
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
 webvpn
  customization value PulsantPortal

[/box]

So we are using split tunnelling, and our split tunnel ACL is called SplitTunneling.

[box]

ASA-1# show run access-list SplitTunneling
access-list SplitTunneling standard permit 192.168.1.0 255.255.255.0

[/box]

Now simply just add the new subnet;

[box]

ASA-1(config)# access-list SplitTunneling standard permit 192.168.100.0 255.255.255.0

[/box]

Option B: New Network is on the Same Interface

Tasks on ASA

  • Locate the NAT Exemption for the AnyConnect traffic, and add a new one for the new interface.
  • If using Split Tunneling add the new network to the Spit Tunnel ACL

Locate the Nat Exception (or NO NAT on old Cisco Money) that prevents the AnyConnect traffic form getting NATTED.

[box]

ASA-1(config)# show run nat 
nat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup 
!

[/box]

From the output above we can see that the Nat exemption for the existing traffic is highlighted, IMPORTANT: Because I’m using any, (yours might be using a specific object or object-group), I DONT NEED TO ADD ANYTHING as any covers the newly added subnet. if you didn’t use any, then you will need to create new objects or object groups for the new network(s), for the next step, I’m sticking with any! then

[box]

ASA-1# configure terminal
ASA-1(config)# object network Obj-New-LAN
ASA-1(config-network-object)# subnet 192.168.100 255.255.255.0
ASA-1(config-network-object)#nat (inside,outside) source static Obj-New-LAN Obj-New-LAN destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 

[/box]

Now let’s see if we are using split tunnelling;

[box]

ASA-1# show run group-policy
group-policy DfltGrpPolicy attributes
 webvpn
  customization value Portal
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
 wins-server none
 dns-server value 192.168.1.10 192.168.1.11
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunneling
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value AnyConnect type user
  customization value Portal
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-filter value ACL_Filter
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
 webvpn
  customization value PulsantPortal

[/box]

So we are using split tunnelling, and our split tunnel ACL is called SplitTunneling.

[box]

ASA-1# show run access-list SplitTunneling
access-list SplitTunneling standard permit 192.168.1.0 255.255.255.0

[/box]

Now simply just add the new subnet;

[box]

ASA-1(config)# access-list SplitTunneling standard permit 192.168.100.0 255.255.255.0

[/box]

Related Articles, References, Credits, or External Links

NA

6 thoughts on “Adding New Networks to Cisco AnyConnect VPNs

  1. Hi Pete, I love your documents and they have been very helpful.

    Are you able to do something similar, but…. setup the VPN on the internal network going from say an INSIDE_STAFF or INSIDE_CONTRACTORS interfaces to the DMZ interface?

    The reason is that you might want to use VPN to allow ‘certain’ users to access resources in the DC i.e. databases

    Thank you
    Heino

    • Not really sure what you are asking but It sounds like you want to allow specific users to specific networks? This is best achieved with DAP (Dynamic Access Policies). I’ve written this up elsewhere (use the search function). But essentially if you want bob and Steve to access the SQL server on Network x, create an ACL that allows IP from any to Network X, then create a DAP that says if you are Bob or Steve apply the ACL you just created. then the ACL gets downloaded to them dynamically.

  2. Hey Pete, this was helpful to gain access to additional subnets in the office.

    Question, to take this a step further, how would you build the route so the anyconnect user could connect to a remote site in the site to site tunnel?

    for example,

    you have 2 sites (A & B) with a ikev2 site to site tunnel.

    you have a user use anyconnect to connect to site A and he needs to hit a server in site B (within the site to site tunnel).

      • Hi Pete;
        Thanks for this – very helpful.
        I now can access servers in the DMZ from AnyConnect clients but any of these servers also can connect to the AnyConnect clients. This is not desired. Any suggestions to prevent this ? Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *