Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1457
Views
0
Helpful
5
Replies

AnyConnect clients routing to other sites

Go to solution
unitron79
Level 1
Level 1

‎03-26-2020 04:17 AM

Hallo,

 

We have 2 sites connected through a site2site VPN between an ASA5516-X on site1 and ASA5505 on site2. Everything works fine both ways.
Our problem is that an AnyConnect client connected through ASA5516-X on site1 can’t reach devices on site2

 

regards,

Manole

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 05:03 AM

Hi,

   

  1.  Ensure that the IP pool/range used by the AnyConnect clients is specified in the crypto-ACL on both VPN gateways (if using crypto map for L2L), or routed via VTI (if using VTI for L2L).

  2. If both AnyConnect and S2S tunnels are established over the same interface of the ASA, the "same-security-level permit intra-interface" is requried on that ASA

  3. ensure that the traffic between AnyConnect IP pool and protected resources on the far-end side of the S2S tunnel are excluded from NAT, on both ASA's: this is done via one or more twice NAT statements.

 

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 05:03 AM

Hi,

   

  1.  Ensure that the IP pool/range used by the AnyConnect clients is specified in the crypto-ACL on both VPN gateways (if using crypto map for L2L), or routed via VTI (if using VTI for L2L).

  2. If both AnyConnect and S2S tunnels are established over the same interface of the ASA, the "same-security-level permit intra-interface" is requried on that ASA

  3. ensure that the traffic between AnyConnect IP pool and protected resources on the far-end side of the S2S tunnel are excluded from NAT, on both ASA's: this is done via one or more twice NAT statements.

 

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
unitron79
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 06:01 AM

Hi Matei,

 

thanks for your reply.

I think I have done that now but stil not working.

I wonder, do I need also some static route in the second ASA to AnyConnect subnet?

 

regards,

Manole

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to unitron79

‎03-26-2020 01:59 PM

Hi,

 

   Yes, clearly, routing needs to work end-to-end, so the remote ASA needs to route traffic for AnyConnect VPN pool through the tunnel; if you have a default route already for Internet access, it's enough; you just need to ensure that this traffic from and to the AnyConnect pool is included in the encryption domain.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
unitron79
Level 1
Level 1
In response to Cristian Matei

‎03-27-2020 03:04 AM

@Cristian Matei wrote:

..so the remote ASA needs to route traffic for AnyConnect VPN pool through the tunnel;..

Hi Cristian,

 

how do I do that? my Cisco knowledge is limited.

 

thanks,

Manole

0 Helpful

Go to solution
unitron79
Level 1
Level 1
In response to Cristian Matei

‎03-27-2020 04:36 AM

 

I played a bit with the crypto map options and is working now.

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card