05-20-2014 07:54 AM - edited 03-11-2019 09:13 PM
Hello All Guru's
Today i came with some scenario in which i am having little bit hard time to understand again. Problem is i have a network in which we are running VPN between two Cities Datacenters. Both using 3 Vlans, like:
In Chicago
10.12.10.x, 10.12.7.x and 10.12.150.x
In Atlanta
10.22.10.x, 10.22.7.x and 10.22.150.x
My VPN Users are able to connect Atlanta with anyconnect without any problem. But when they have to access the Chicago they disconnect first the VPN and then reconnect again with Chicago ASA to get access to those Servers. Even there is a VPN Tunnel running b/w Chicago and Atlanta and i am able to access the Management which is 10.x.7.x but not other production subnets.
Can any one help me to understand what i have to check and what make this work. I really appreciate any link to documents as well which shows me how to do it.
Regards,
Atif
05-24-2014 01:58 AM
Hi,
Reading your post I have an idea. If I understand well, there are 2 RA VPN sites (Chicago & Atlanta). There is also L2L IPsec tunnel between Chiccago & Atlanta All (RA and L2L) has to be working because you are able to reach management subnet in Atlanta from Chicago (please correct if anything is wrong).
Now, few questions:
- management subnet - is there any NAT used in configuration in conjuction w this subnet?
- can you post cryptomap of L2L?
- what are ip pools for RA VPN @ Chicago and Atlanta?
I assume, production servers are able to reach internet, so there is some kind of NAT (because your address are RFC1918).
My main idea is, there should be NAT exemption on traffic from Chicago to RA VPN at Atlanta (and vice versa).
Please answer questions and we can continue.
HTH
Pavel
05-25-2014 12:49 AM
Hi Atif,
Check for the following:
- That you have issued the command "same-security-traffic permit intra-interface" - since Anyconnect user traffic will be hair pining on the ASA Outside Interface on the Atlanta Firewall
- That the Chicago IP address pools you wish to access are in the Split-Tunnel ACL under the SSL Group Policy in Atlanta
- That the pair Anyconnect SSL IP Pool - Chicago IP address pools are in the IPSec Crypto ACL for the ASA in Atlanta
- That the pair Chicago IP address pools - Anyconnect SSL IP Pool are in the IPSec Crypto ACL for the ASA in Chicago
- Make sure you have properly NAT-exempted the appropriate subnets in each ASA
Radu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide