Adding New Networks to Cisco AnyConnect VPNs

KB ID 0001593

Problem

Note: To add new subnets to a traditional Site to Site VPN, see the following article instead;

Cisco ASA – Adding New Networks to Existing VPNs

I see this get asked in online forums A LOT. If you have an existing AnyConnect VPN setup, and then need to add another network how do you do it?

Well that depends on where the new network is, and how it’s entering the firewall, these diagrams can be either way round, but the new network will either be coming into the ASA on the same interface (i.e you’ve spun up a new network for phones, or a new department etc),  or the traffic will be coming into the ASA through a different interface, (like a DMZ, or partner network).

Option A: New Network is on another interface;

Option B: New Network is on existing (inside) interface;

Note: The process for adding the new network is the same for both, BUT depending on which interface the new traffic is coming in on, this will change your NAT command. 

Warning: For this process to work you must already have a setup and working AnyConnect deployment!

Solution

Option A: New Network is on a Different Interface

Tasks on ASA

  • Locate the NAT Exemption for the AnyConnect traffic, and add a new one on the SAME interface.
  • If using Split Tunneling add the new network to the Spit Tunnel ACL

Locate the Nat Exception (or NO NAT on old Cisco Money) that prevents the AnyConnect traffic form getting NATTED.

[box]

ASA-1(config)# show run nat 
nat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup 
!

[/box]

From the output above we can see that the Nat exemption for the existing traffic is highlighted, we simply need to add another one, for the new interface (which we will call dmz).

Note: I’m using any, yours might be using a specific object or object-group, if so, you will need to create new objects or object groups for the new network(s), for the next step, I’m sticking with any!

[box]

ASA-1# configure terminal
ASA-1(config)# nat (dmz,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

Now let’s see if we are using split tunnelling;

[box]

ASA-1# show run group-policy
group-policy DfltGrpPolicy attributes
 webvpn
  customization value Portal
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
 wins-server none
 dns-server value 192.168.1.10 192.168.1.11
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunneling
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value AnyConnect type user
  customization value Portal
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-filter value ACL_Filter
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
 webvpn
  customization value PulsantPortal

[/box]

So we are using split tunnelling, and our split tunnel ACL is called SplitTunneling.

[box]

ASA-1# show run access-list SplitTunneling
access-list SplitTunneling standard permit 192.168.1.0 255.255.255.0

[/box]

Now simply just add the new subnet;

[box]

ASA-1(config)# access-list SplitTunneling standard permit 192.168.100.0 255.255.255.0

[/box]

Option B: New Network is on the Same Interface

Tasks on ASA

  • Locate the NAT Exemption for the AnyConnect traffic, and add a new one for the new interface.
  • If using Split Tunneling add the new network to the Spit Tunnel ACL

Locate the Nat Exception (or NO NAT on old Cisco Money) that prevents the AnyConnect traffic form getting NATTED.

[box]

ASA-1(config)# show run nat 
nat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup 
!

[/box]

From the output above we can see that the Nat exemption for the existing traffic is highlighted, IMPORTANT: Because I’m using any, (yours might be using a specific object or object-group), I DONT NEED TO ADD ANYTHING as any covers the newly added subnet. if you didn’t use any, then you will need to create new objects or object groups for the new network(s), for the next step, I’m sticking with any! then

[box]

ASA-1# configure terminal
ASA-1(config)# object network Obj-New-LAN
ASA-1(config-network-object)# subnet 192.168.100 255.255.255.0
ASA-1(config-network-object)#nat (inside,outside) source static Obj-New-LAN Obj-New-LAN destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 

[/box]

Now let’s see if we are using split tunnelling;

[box]

ASA-1# show run group-policy
group-policy DfltGrpPolicy attributes
 webvpn
  customization value Portal
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
 wins-server none
 dns-server value 192.168.1.10 192.168.1.11
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunneling
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value AnyConnect type user
  customization value Portal
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-filter value ACL_Filter
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
 webvpn
  customization value PulsantPortal

[/box]

So we are using split tunnelling, and our split tunnel ACL is called SplitTunneling.

[box]

ASA-1# show run access-list SplitTunneling
access-list SplitTunneling standard permit 192.168.1.0 255.255.255.0

[/box]

Now simply just add the new subnet;

[box]

ASA-1(config)# access-list SplitTunneling standard permit 192.168.100.0 255.255.255.0

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – Adding New ‘Different Range’ Public IP Addresses

KB ID 0001006 

Problem

I got an email at work yesterday;

“Hello Pete
I have asked our ISP to give us two additional real IP addresses so that we can progress the following two projects:

  1. Microsoft DirectAccess
  2. Publishing documents to a web server from our internal DMS.

{ISP Name} have come back and said that they don’t have the next available numbers in our current IP address range, but they do have two other numbers we could have from another range.
Would that cause any problems with regard to the firewall configuration etc.”

I’ve been asked similar questions before and my answer was always, “No let’s get a bigger range and re-ip the public side of the network”. But I was sat next to my usual font of all routing knowledge Steve, so I asked him what he thought. “It will just work, just NAT the traffic on the ASA, and as long as the ISP has set the routing up properly, the ASA will just proxy-arp the new public IP. We’ve done that for a few clients”.

I’ve not done this before, so before I put my neck on the block, I decided to build it in GNS3 to prove the concept.

Solution

1. I’ve already got a few basic Labs built for testing, here is the one I will use for this.

Note the ‘Host’ is really a router (this will become apparent later on). The ASA has a ‘public’ range of 11.11.11.1/29 this gives me 8 IP addresses (6 usable). Let’s assume we have exhausted all of those. and my ISP has given me 111.111.111.0/24 (generous eh!). I want to allocate 111.111.111.111 publicly to my host, (because I have OCD and it looks nice).

When I’ve finished I will test that it has worked by opening a TELNET session to my host from its outside IP 111.111.111.111.

2. Lets make sure that the host can get to the Internet, and then on the ASA observe what public IP address it’s getting.

[box] On the ‘Host’ Router

InsideHost#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/164/568 ms
InsideHost#

Observe the results on the ASA

Petes-ASA(config)# show xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
ICMP PAT from inside:192.168.1.10/0 to outside:11.11.11.6/41745 flags ri idle 0:00:05 timeout 0:00:30

[/box]

3. Connect to the ASA > Allow telnet traffic to the host > Setup a One-to-One static NAT translation to the new public IP.

[box]

 Petes-ASA# configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp any host 192.168.1.10 eq telnet
Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)# object network OBJ-TELNET-HOST
Petes-ASA(config-network-object)# host 192.168.1.10
Petes-ASA(config-network-object)# nat (inside,outside) static 111.111.111.111
Petes-ASA(config-network-object)# exit
Petes-ASA(config)#

[/box]

4. Allow Telnet on the ‘host’ router.

5. At this point in a live environment you are reliant on your ISP to route those IP addresses to you. Here I’m going to achieve the same by adding a route on the ISP Router, and then (so I can connect to host), putting a static route on my laptop.

[box]ISP-Router(config)#ip route 111.111.111.0 255.255.255.0 11.11.11.6[/box]

6. Now let’s clear the ‘translations’ on the ASA, and repeat the test we did earlier, hopefully the public IP of our internal host should have changed.

[box] On the ASA

Petes-ASA(config)# clear xlate

On the ‘Host’ Router

InsideHost#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/164/568 ms
InsideHost#

Observe the results on the ASA

Petes-ASA(config)# show xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
NAT from inside:192.168.1.10 to outside:111.111.111.111
flags s idle 0:00:46 timeout 0:00:00
Petes-ASA(config)#

[/box]

7. Let’s make sure that the correct IP address is being seen, to do that I setup Wireshark to sniff the traffic on the ISP Routers 11.11.11.1 interface.

8. Then if I ping 4.2.2.2 from the internal host, and view the traffic capture, I should see the traffic coming from 111.111.111.111 (NOT 11.11.11.6).

9. Finally I should now be able to telnet from my laptop to the new public IP.

 

Related Articles, References, Credits, or External Links

NA