I have ASA 55xx that im using as vpn concentrator.
I have a need where one of SSL VPN clients needs to be able to go through IPSEC tunnel. Both configured on that same ASA both are functioning. I already have same-security-traffic permit intra-interface as part of my config.
So essentially IPSEC can get to internal resources and internal resources can get to remote resources through IPSEC, SSL VPN client can get to internal resources, but SSL VPN client cant get to resources over the IPSEC tunnel
I added VPN client IP into existing object group and that did the trick. object-group is being used for nat and acls.
Is there a way for me to limit what SSL VPN access over IPSEC. I re-used internal resources object-group that gives access to the entire subnet
First: If you have NAT statements on your firewall, you will need to configure a twice NAT / NAT exempt for the AnyConnect traffic to the remote subnet.
Second: you need to add your AnyConnect subnet to the Site 2 Site VPN crypto ACL at both ends of the Site 2 Site VPN.
Third: If you are using split tunneling in your AnyConnect you would need to add the remote site IP subnet to the split tunnel ACL.