Introduction
This document describes the scenario where user wants implement Site to Site using AnyConnect client.
Prerequisites
Problem
User need general guidance in configuring 2 ASAs connected via site-to-site VPN and then have remote AnyConnect client connect to far end site.Both ASAs are set up for site-to-site VPNs as shown on the attached diagram. Hosts on each LAN segment can ping across the site-to-site tunnel.
One of the ASAs also acts as a terminating endpoint for AnyConnect clients. Remote AnyConnect users can successfully see items on the 192.168.1.X subnet shown on the attached (and items behind the router not shown). Outside interface of the ASAs are the terminating points for all cyrpto.
Where user is struggling in configuring the ASAs so the Remote AnyConnect users can see the 192.168.2.X network.
Few things: These IPs are not production IPs and don't want to include config outputs. No routing other than static routing is configured between ASAs and any layer-3 devices. For those users in the 192.168.1.X subnet their default gateway is configured to be the Router 192.168.1.1. For those users in the 192.168.2.X network their default gateway is configured to be the ASA 192.168.2.1. Attached diagram generally shows how user want to set up.
- User need to allow the AnyConnect clients (that connect to the ASA), to communicate across the IPsec tunnel to the other ASA and reach 192.168.2.x ?
- What you should do is in the crypto ACL of the Site-to-Site tunnel include another ACE with the 192.168.102.x (which is the pool of the AnyConnect clients)?
Solution
Let';s say this is the user's ACL for split tunnel for the AnyConnect clients
access-list split permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
So, you should also include:
access-list split permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0
Let's say that you have this ACL as the crypto ACL for the Site-to-Site tunnel
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
So, add this line:
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.102.0 255.255.255.0
To allow the ASA to redirect back out the same interface traffic that it receives, you should add:
same-security-traffic permit intra-interface
Also, check the NAT configuration to include these networks accordingly.
Source Discussion
AnyConnect client to site-to-site destination