Re: Flex Anyconnect vpn and site to site VPN - Page 3

MriduD · ‎05-13-2024

Hello all, I need your help to come up with a solution.

A user is connected remotely to host location via flex Anyconnect remote vpn(vpn pool - 172.17.1.1 to 172.17.1.40). And also, there is a site to site VPN between the host location(192.168.1.0/24) and branch location(192.168.2.0/24). He wants to print out of a printers at192.168.2.19,.20,21,22) which are in branch location. Both locations have Cisco iosxe routers. How do I achieve it? Please help me with the routes.

MHM Cisco World · ‎05-29-2024

in Anyconnect
show route
did you see the route of printer ?

in Main site show ip route
did you see the route of printer ?

MHM

MriduD · ‎05-31-2024

Hi Sir..

No.. there are routes configured since it is a policy based VPN.

when I added 'Ip route 192.168.2.0 255.255.255.0 g0/0/0' to the main site router, communication between the main site and branch stopped working.

I'll try again. Is policy based VPN the issue? Should I configure a route based VPN between the sites?

MHM Cisco World · ‎06-01-2024

No.. there are routes configured since it is a policy based VPN.<<- you meaning in Main there is no routing toward branch for printer subnet ? that not work
even if it policy-based VPN it need routing.
and I dont get why when you add static route in main toward branch for printer subnet the connection down ?

MHM

MriduD · ‎06-01-2024

Yeah if you check the config file. Only default routes are configured on both the routers. But, site to site VPN is working. Printer subnet is nothing but the branch subnet. I'll add the routes again that you suggested.

Main -

Ip route (branch subnet/printer subnet) peer ip

Branch :

Ip route ( remote anyconnect vpn pool ip subnet) peer ip

Ip route (main site subnet) peer ip

Plz correct me if I am wrong

MHM Cisco World · ‎06-01-2024

Yeah if you check the config file. Only default routes are configured on both the routers. But, site to site VPN is working. Printer subnet is nothing but the branch subnet. I'll add the routes again that you suggested. <<- if there is default route in Main then also that OK
can I see show ip route
what is the IP of virtual access of Main site is it in same subnet of Anyconnect Pool ?

If yes

try ping from main site to printer subet using virtual access IP as source of ping
if success let me know

MHM

MriduD · ‎06-02-2024

#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 208.46.64.18 YES NVRAM up up
GigabitEthernet0/0/1 unassigned YES NVRAM down down
GigabitEthernet0/1/0 unassigned YES unset up up
GigabitEthernet0/1/1 unassigned YES unset down down
GigabitEthernet0/1/2 unassigned YES unset down down
GigabitEthernet0/1/3 unassigned YES unset up up
Loopback1 10.10.10.1 YES NVRAM up up
Loopback2 10.11.11.1 YES NVRAM up up
Virtual-Access5 10.10.10.1 YES unset up up
Virtual-Template1 10.10.10.1 YES unset up down
Virtual-Template2 10.11.11.1 YES unset up down
Vlan1 26.1.1.1 YES NVRAM up up
DenverHostTS#sh run | i pool
crypto pki certificate pool
pool VPNPOOL
pool VPN-POOL
ip local pool VPNPOOL 172.16.7.1 172.16.7.40

Pool ips and virtual access ips are different.

MriduD · ‎06-02-2024

@MHM Cisco World Hello Sir, I implemented these routes on main and branch routers. And I was able to ping the printer ip addresses and the LAN gateway of the branch. I have asked the client to test it from his side. Once he confirms, I shall let you know.