07-29-2019 05:10 AM - edited 02-21-2020 09:42 PM
Hi to all,
i have three interfaces on ASA:
INSIDE (172.16.x.x headquaters)
OUTSIDE (192.168.20 - 40.x - Anyconnect SSL and S2S NAT-T IPsec certificate)
VPNINET (192.168.1 - 15.x - S2S IPsec with static IP)
Anyconnect client cannot reach S2S NAT-T IPsec subnets on OUTSIDE interface but subnets S2S IPsec on VPNINET interface are reachable.
From INSIDE i can reach all subnets all subnets can reach INSIDE.
I've enabled both:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Im trying to find somethink on forum, but still no luck.
Thanks a lot.
Solved! Go to Solution.
07-29-2019 05:19 AM
Please check the following:
1. Confirm you are either using tunnelall option or are specifying the problem subnets in your split tunnel ACL for the VPN clients.
2. Either way, you need an outside,outside NAT exemption for the VPN client traffic to the remote subnets
3. The VPN client subnet must be included in the crypto map ACL so that there is an IPsec SA created for VPN subnets to remote subnets.
07-29-2019 05:19 AM
Please check the following:
1. Confirm you are either using tunnelall option or are specifying the problem subnets in your split tunnel ACL for the VPN clients.
2. Either way, you need an outside,outside NAT exemption for the VPN client traffic to the remote subnets
3. The VPN client subnet must be included in the crypto map ACL so that there is an IPsec SA created for VPN subnets to remote subnets.
07-29-2019 06:38 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide