Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
2
Replies

AnyConnect through Site to Site Where to look for packets because its not working help

Wan_Whisperer
Level 1
Level 1

‎03-31-2020 07:56 AM - edited ‎04-01-2020 12:07 PM

I have a home office where a user on IP adders 10.4.4.0/24 has no Issue going through a site to site VPN accessing Site 2.s IPs like 172.21.0.0/23 and XXX.XXX.80.0/24 and all other IPs located at Site 2 

 

now for the issue:

 

A user at home connected to the home office Via AnyConnect on an IP address of 10.4.4.0/24 can not access some Site 2 IPs lP 172.21.0.0/23 but can access all IPs that are not NATted.

 

The home office VPN is on the ASA and Site 2's VPN endpoint is on an IOS device.  I tried to use packet capture on the ASA but nothing shows up on the exit interface, I do see why it would not show up because it tunneled.   How can monitor traffic going through the VPN?    I put an ACL on two different interfaces; one interface is the one that has the crypto map on it the other interface leads to the core device.  I do not see any packets with a source or destination IP that I am trying to reach.  What is happening?

 

 

Please be detailed so I can learn from this.

 

Thanks for helping.

Labels:
Preview file
25 KB
0 Helpful
2 Replies 2

Cristian Matei
VIP Alumni
VIP Alumni

‎04-02-2020 02:42 AM

Hi,

 

   Can you specify how devices are connected, where is the S2S tunnel terminated and where is AC terminated? Which IP's get NAT'ed and which don't?

   For example something like ROUTER(.1)----10.10.10.0/24-----(.2)ASA(.2)-----12.12.12.0/24------(.10)ROUTER

 

Regards,

Cristian Matei.

    

0 Helpful

Wan_Whisperer
Level 1
Level 1
In response to Cristian Matei

‎04-02-2020 05:40 AM

Thanks for your reply.   I want to access 172.21.0/23 from my house using AnyConnect...

 

user at home.(AnyConnect VPN IP 10.4.4.221) public ip X.X.X.X----Homeoffice Termination point for AnyConnect X.X.73.59

 

Then

 

Homeoffice Site to Site (ASA origination IP X.X.73.59)------to ASR (IP X.X.0.226)

 

I put an ACL on "ASR (IP X.X.0.226)" and I do not see any interesting traffic.  I really did not expect to because it would be encrypted.  Then on the same device I put an ACL on the interface leading to the core, still no interesting traffic.

 

Just to reiterate:

 

I have a home office where a user on IP adders 10.4.4.0/24 has no Issue going through a site to site VPN accessing Site 2.s IPs like 172.21.0.0/23 and XXX.XXX.80.0/24 and all other IPs located at Site 2 

 

 

Because of this I believe it something on my ASA at my home office.

 

Please help my Boss is getting aggravated with me. 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card