03-26-2020 04:17 AM
Hallo,
We have 2 sites connected through a site2site VPN between an ASA5516-X on site1 and ASA5505 on site2. Everything works fine both ways.
Our problem is that an AnyConnect client connected through ASA5516-X on site1 can’t reach devices on site2
regards,
Manole
Solved! Go to Solution.
03-26-2020 05:03 AM
Hi,
1. Ensure that the IP pool/range used by the AnyConnect clients is specified in the crypto-ACL on both VPN gateways (if using crypto map for L2L), or routed via VTI (if using VTI for L2L).
2. If both AnyConnect and S2S tunnels are established over the same interface of the ASA, the "same-security-level permit intra-interface" is requried on that ASA
3. ensure that the traffic between AnyConnect IP pool and protected resources on the far-end side of the S2S tunnel are excluded from NAT, on both ASA's: this is done via one or more twice NAT statements.
Regards,
Cristian Matei.
03-26-2020 05:03 AM
Hi,
1. Ensure that the IP pool/range used by the AnyConnect clients is specified in the crypto-ACL on both VPN gateways (if using crypto map for L2L), or routed via VTI (if using VTI for L2L).
2. If both AnyConnect and S2S tunnels are established over the same interface of the ASA, the "same-security-level permit intra-interface" is requried on that ASA
3. ensure that the traffic between AnyConnect IP pool and protected resources on the far-end side of the S2S tunnel are excluded from NAT, on both ASA's: this is done via one or more twice NAT statements.
Regards,
Cristian Matei.
03-26-2020 06:01 AM
Hi Matei,
thanks for your reply.
I think I have done that now but stil not working.
I wonder, do I need also some static route in the second ASA to AnyConnect subnet?
regards,
Manole
03-26-2020 01:59 PM
Hi,
Yes, clearly, routing needs to work end-to-end, so the remote ASA needs to route traffic for AnyConnect VPN pool through the tunnel; if you have a default route already for Internet access, it's enough; you just need to ensure that this traffic from and to the AnyConnect pool is included in the encryption domain.
Regards,
Cristian Matei.
03-27-2020 03:04 AM
@Cristian Matei wrote:..so the remote ASA needs to route traffic for AnyConnect VPN pool through the tunnel;..
Hi Cristian,
how do I do that? my Cisco knowledge is limited.
thanks,
Manole
03-27-2020 04:36 AM
I played a bit with the crypto map options and is working now.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide