08-03-2018 01:05 PM - edited 02-21-2020 08:03 AM
Hello,
I have a site-to-site VPN between two remote sites which is working as expected. LAN subnets at both sites are allowed for access over the VPN. I would like to be able to access the remote site when connecting remotely via AnyConnect to the local site. And so to achieve this, I have:
- Configured a NAT rule to NAT the AnyConnect range to an unused range when the destination is the subnet of the remote end of the VPN tunnel. This means that in my NAT rule, the source interface is OUTSIDE and the destination interface is also OUTSIDE.
-Configured an access-list to allow the Anyconnect range outbound access
-Enabled 'same-security permit intra-interface' traffic
-Added the unused range I'm NAT'ing to to cryptomaps at both ends of the tunnel and verified the remote end is configured to route traffic for this 'unused' subnet via the VPN tunnel
I'm able to connect successfully to the remote site from the internal LAN on the local end. However, when testing from the AnyConnect range, it fails.
- I see ICMP traffic hit the firewall but it doesn't seem to go any further
-When testing TCP traffic, I just get a SYN timeout from the ASA logs
-It does even seem to get to the stage of traversing the VPN tunnel as the VPN tunnel doesn't come up even if I leave continuous pings running (i cleared the VPN tunnel to ensure it was down before testing from the Anyconnect range)
-Traceroute fails from the first hop
When I use the packet-tracer utility on ASDM, it shows the flow is allowed, showing the correct NAT translations, the correct policy and confirming it goes over the VPN. But testing from an actual machine, I get nothing.
Any thoughts on what could be blocking this?
08-03-2018 08:53 PM
08-04-2018 08:00 AM
Hi Francesco,
Thanks for getting back to me. I have now resolved this. It turned out to be a human issue and not a firewall issue unfortunately. The person configuring the remote end had added the new subnet but did not commit the change (as required with that firewall vendor) and so it was not applied to the running config.
08-05-2018 02:45 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide