Solved: VPN AnyConnect to Subnet Routing

MikeMeier · ‎10-27-2017

Hi there,

my S2S Tunnel work's perfect:

192.168.1.0/24 <--> 192.168.200.0/24

I'm able to connect via AnyConnect and reach all Network devices on subnet

192.168.98.0/24 <--> 192.168.200.0/24

But i'm not able to route from VPN Connected Client to HQ

192.168.98.0 <--> 192.168.1.0/24 NOT WORKING!

Headquarters (192.168.1.0/24):
-------------------------------

object network DIALIN_SUBNET2
subnet 192.168.98.0 255.255.255.0

access-list VPN_splitTunnelAcl_1 standard permit 192.168.98.0 255.255.255.0

route inside 192.168.98.0 255.255.255.0 192.168.200.1 1

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Subnet 2 (192.168.200.0/24):
-----------------------------

object network Office_HQ
subnet 192.168.1.0 255.255.255.0

object network DIALIN_AnyConnect
subnet 192.168.98.0 255.255.255.0

access-list inside_access_in extended permit ip any4 object Office_HQ
access-list Cisco_DIALIN_AnyConnect extended permit ip object LOCAL_LAN object Office_HQ

access-list outside_cryptomap_HQ remark ** S2S VPN **
access-list outside_cryptomap_HQ extended permit ip 192.168.200.0 255.255.255.0 object-group DM_INLINE_NETWORK_3

no arp permit-nonconnected
nat (inside,outside) source static any any destination static Office_HQ Office_HQ no-proxy-arp route-lookup

access-list VPN_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.95.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.98.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.99.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit any4

crypto map outside_map 1 match address outside_cryptomap_HQ
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer ************
crypto map outside_map 1 set ikev1 transform-set myset
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 9
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400