Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


Using Anyconnect to access remote L2L network with asa on 9.1

Hello all,

I am suck and could use some assistance here.   I have a very similar question as here, but I am on version 9.1(2).

It had been working prior with v8.2 (we recently upgraded).


So we have two lan-to-lan vpns established and both remote sites can access each-other's resources.  The client based vpn users however can not (neither IPSec client or anyconnect).


We created a network object group as shown below and did the double-nat statment, but that doesn't seem to have helped.  The remote networks are in the split-tunnel of the client.


Any thoughts would be greatly appreciated.

Thanks!  -Cheers, Peter. = main site (inside of asa) = remote a (isr851 w/ ezvpn network extension mode) = standard lan to lan vpn tunne = IP pool of IPSec/Anyconnect clients


object-group network int-vpn-nonat


nat (Outside-MetroE,Outside-MetroE) source static int-vpn-nonat int-vpn-nonat destination static int-vpn-nonat int-vpn-nonat no-proxy-arp route-lookup


Just a few things to check:1.

Just a few things to check:

1. Does the far side ASA have a route back to the Any Connnect VPN subnet?

2. Does the far side ASA have a twice NAT configured for the Any Connect subnet?

3. Did you add the Any Connect subnet to the interesting traffic ACL for L2L?





Hi Kevin,Thanks for taking

Hi Kevin,

Thanks for taking the time to help.  It is greatly appreciated.  smiley


For Nr. 3, I believe I have that correct... I do see the network appear as a "remote ident" entry in the "sh cry ips sa" output and there are packet encaps listed (no decaps).


For Nr. 2, I believe so.  Here is what I have on the lan2lan remote site asa:

object network internal-network

object-group network bcc-int-vpn-nonat


nat (inside,outside) source static internal-network internal-network destination static int-vpn-nonat int-vpn-nonat no-proxy-arp route-lookup


For Nr. 1, I am fairly sure I have this right.  The hosts on the far end 192.168.3.x network all have their local ASA as their default gateway.  I don't have any additional routing setup outside of the "Reverse Route Injection" option in the static l2l cryptomap definition.


Things had been working fine before the upgrade...  My suspicion is that I am missing something in the double nat on the 192.168.0.x central ASA...  This whole not having nat exclusions is really been something strange and I still don't fully understand the logic behind it.


Sorry I still feel dense with this new nat format.

Thanks!  -Cheers, Peter.




CreatePlease to create content
Content for Community-Ad
FusionCharts will render here