Flex Anyconnect vpn and site to site VPN

MriduD · ‎05-13-2024

Hello all, I need your help to come up with a solution.

A user is connected remotely to host location via flex Anyconnect remote vpn(vpn pool - 172.17.1.1 to 172.17.1.40). And also, there is a site to site VPN between the host location(192.168.1.0/24) and branch location(192.168.2.0/24). He wants to print out of a printers at192.168.2.19,.20,21,22) which are in branch location. Both locations have Cisco iosxe routers. How do I achieve it? Please help me with the routes.

balaji.bandi · ‎05-13-2024

As long as printer ablet to ping using remote VPN end host you should able to achieve this. some printers required netbios

allow the site to site VPN ACL the printers interesting traffic and what port required some printers need more ports - generally i used 9100 port that worked.

Also make sure you allowed Remote VPN subnet in the Site to site VPN to reach printer.

still issue debug enable to troubleshoot by issue printing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MriduD · ‎05-14-2024

Thank you, Balaji. Currently, in the site to site crypto acl i have "permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255"

As suggested by you, I'll add "permit ip 172.17.1.0 0.0.0.255 192.168.2.0 0.0.0.255" in the Host router and 'permit ip 192.168.2.0 0.0.0.255 172.17.1.0 0.0.0.255' .

I had thought of the same solution but I was not sure . I shall make the changes and see if the change fix the issue.

MriduD · ‎05-26-2024

I allowed the remote vpn pool subnet in the crypto acl of the site to site vpn. I added the branch subnet to the remote vpn acl. In the anyconnect app, when I click on the routes section, the branch subnet shows up, but I am unable to ping the ping the printer. I am working on it. May be, I have missed some thing.. would u like to check the config?

MHM Cisco World · ‎05-26-2024

Share the config let me check it

MHM

MriduD · ‎05-26-2024

Please check.

Richard Burts · ‎05-26-2024

There are some things I want to check further in the main config but I notice something in the branch config that I want to ask about. You have a static route for 172.16.7.0 with a next hop of 26.1.1.1. 26.1.1.0 is not a locally connected network and there is not a specific route for 26.1.1.0. If the router is ultimately going to use its default route why not just let the static route handle it (why have this static route)?

HTH

Rick

MriduD · ‎05-26-2024

Thanks for rectifying my mistake. But, I think I pasted the wrong config. That route isn't there now.

Richard Burts · ‎05-26-2024

In looking further at th config of the branch. You have an acl ip access-list extended OutsideToInsideACL which has a permit for 26.1.1.0 to 192.168.2.0. I believe that you need to add a statement which permits 172.16.7.0 to 192.168.2.0.

HTH

Rick

MriduD · ‎05-26-2024

Sure, Sir. I'll add that . I'll update you.

MHM Cisco World · ‎05-26-2024

Anyconnect-HostLocation-s2s ikev2-Branch-Printer ?
this flow what you looking for ?

MHM

MriduD · ‎05-26-2024

Yes, Sir.

MHM Cisco World · ‎05-26-2024

The printer IP is allow in ACL of s2s ikev2?

MHM

MriduD · ‎05-26-2024

Not specifically the printer ip. But the entire branch subnet. Should I try permitting only the printer IP addresses?

MriduD · ‎05-26-2024

the main site and branch routers' configuration are attached to this thread.