Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
5
Helpful
3
Replies

Access netwerk on network through site-to-site vpn with anyconnect

Optimezers-fabian
Level 1
Level 1

‎05-18-2016 07:54 AM - edited ‎03-05-2019 04:02 AM

Dear users,

Situation:

On the left i've got an asa (asaL) and on the right i got another one (asaR).

These asa's are connected to eachother using site-to-site vpn.

I can access a network on asaR when I am behind the firewall of asaL.

However when I am connected using anyconnected vpn client to asaR and trying connected to a network on asaL it fails.

So the tunnel seems to be oke, but when anyconnect comes in the pictures it fails.. 

Looking forward to your suggestions.

Thanks in advance.

Kind regards,

Fabian

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎05-18-2016 08:49 AM

Fabian

There are several things that could produce the symptoms that you describe and you have not given us enough information to know which of them it might be. Let me describe some of them and hope that you can figure it out or else you will need to provide details of how one or both ASA are configured.

1) It might be in the configuration of the site to site tunnel. There is an access list which determines what traffic goes through the VPN and if the address pool of AnyConnect is not included in that access list then AnyConnect would not be able to go through the VPN tunnel.

2) It might be in the configuration of AnyConnect, especially if you configure it to use split tunneling. If it does use split tunneling then you identify what network resources AnyConnect will send through its encrypted tunnel. If the network of asaR are not included in the list of AnyConnect on asaL then AnyConnect will not go through the site to site tunnel.

3) If it does not seem to be either of the issues above then it might be that the packet arrived on the public interface of the ASA and needs to be forwarded back out the same interface to use the site to site VPN. That is not allowed by default and you may need to enable same security level traffic intra interface.

HTH

Rick

HTH

Rick

Optimezers-fabian
Level 1
Level 1
In response to Richard Burts

‎05-24-2016 07:42 AM

Dear Rick,

  1. This network is added so this one is correct.
  2. This one is also set correct.
  3. This one is also correct..

Maybe this error from the logging will help you:

5 May 24 2016 06:41:05 305013 172.24.0.2 61289 8.8.4.4 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:172.24.0.2/61289(LOCAL\optimezers) dst outside:8.8.4.4/53 denied due to NAT reverse path failure

Looking forward to hear for you.

Kind regards,

Fabian

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Optimezers-fabian

‎05-24-2016 07:50 AM

Fabian

Thank you for clarifying that none of the possible issues that I suggested are involved in your issue. The log message is quite helpful. It clarifies that the issue is an inconsistency in NAT. What frequently happens is that a network is included in the access list for the site to site VPN but that network traffic going over the VPN is not exempted from address translation. Since we do not know the details of your situation we can not know if this is the issue but it is where I suggest that you start looking.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card