Solved: Cisco Firepower Access remote site-to-site subnet via Cisco Anyconnect

res@anker-andersen.dk · ‎04-11-2024

When a client connect to the HQ via AnyConnect vpn, they can access the HQ local subnet, but can´t access the subnet at the remote office, that has an site-to-site connection to the HQ.

Can this be configuret via the Cisco Firepower gui?

Cisco Firepower 1120

MHM Cisco World · ‎04-17-2024

Configure Site-to-Site VPN on FTD Managed by FDM - Cisco

this guide to config IPsec in FDM
first step is add VPN subnet to IPSec
A-Objects > Networks > Add New Network

B-then in local network add network we config in sub step A

second step config out,out NAT

NOTE:- the Anyconnect subnet must also need to add in peer ACL

MHM

View solution in original post

MHM Cisco World · ‎04-11-2024

Add Anyconnect VPN subnet to ACL of IPSec S2S

Add no-NAT from your anyconnect subnet to remote LAN and interface will be outside'outside.

Try above two steps and check

MHM

res@anker-andersen.dk · ‎04-11-2024

How can this be done via the gui?

MHM Cisco World · ‎04-11-2024

You meaning FDM ?

MHM

res@anker-andersen.dk · ‎04-11-2024

Yes i mean FDM

res@anker-andersen.dk · ‎04-12-2024

Do you have an idea, how this can be done?

MHM Cisco World · ‎04-12-2024

Share the config of ipsec vpn in fdm

MHM

Aref Alsouqi · ‎04-16-2024

It should be in Policy > NAT section. Also, please note that you would need to configure the remote site to send the traffic destined to AnyConnect subnet over the site-to-site VPN tunnel and it also needs to be exempted from NAT.

res@anker-andersen.dk · ‎04-16-2024

At the remote site, we use a Meraki MX67

Aref Alsouqi · ‎04-16-2024

Ok, then you would need to add the AnyConnect subnet to the VPN subnets list in Meraki dashboard.

res@anker-andersen.dk · ‎04-15-2024

Thank you for you help

Connection Name: AAHQ-BRANCH1

Type: Policy Based

VPN Access Interfaces: outside (92.246.12.1xx)
Network: AA_Network(192.68.134.0/24)

Peer IP Address: 95.138.217.xx
Peer Network: Branch1_Network(192.168.130.0/24)

IKE Version 2: Disabled

IKE Version 1
IKE Policy: aes-256-pre-share-sha-14
IPSec Proposal: esp-aes-256-esp-sha-hmac-tunnel
Authentication Type: Pre-shared Manual Key

IPSec Settings
Lifetime Duration: 28800 seconds
Lifetime Size: 4608000 kilobytes

Additional Options
NAT Exempt: inside (192.68.134.1)

Diffie-Hellman Group: Null (not selected)

res@anker-andersen.dk · ‎04-16-2024

Do you need more from the configuration?

MHM Cisco World · ‎04-17-2024

Configure Site-to-Site VPN on FTD Managed by FDM - Cisco

this guide to config IPsec in FDM
first step is add VPN subnet to IPSec
A-Objects > Networks > Add New Network

B-then in local network add network we config in sub step A

second step config out,out NAT

NOTE:- the Anyconnect subnet must also need to add in peer ACL

MHM

res@anker-andersen.dk · ‎04-18-2024

Thank you MHM

I was missing the Anyconnect network at the local network.