Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
3
Replies

Using Anyconnect to access remote L2L network with asa on 9.1

pbrunnen
Level 1
Level 1

‎03-28-2014 04:46 PM - edited ‎02-21-2020 07:34 PM

Hello all,

I am suck and could use some assistance here.   I have a very similar question as here, but I am on version 9.1(2).

It had been working prior with v8.2 (we recently upgraded).

 

So we have two lan-to-lan vpns established and both remote sites can access each-other's resources.  The client based vpn users however can not (neither IPSec client or anyconnect).

 

We created a network object group as shown below and did the double-nat statment, but that doesn't seem to have helped.  The remote networks are in the split-tunnel of the client.

 

Any thoughts would be greatly appreciated.

Thanks!  -Cheers, Peter.

 

192.168.1.0 = main site (inside of asa)

192.168.1.0 = remote a (isr851 w/ ezvpn network extension mode)

192.168.3.0 = standard lan to lan vpn tunne

192.168.7.0 = IP pool of IPSec/Anyconnect clients

 

object-group network int-vpn-nonat
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.7.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0

 

nat (Outside-MetroE,Outside-MetroE) source static int-vpn-nonat int-vpn-nonat destination static int-vpn-nonat int-vpn-nonat no-proxy-arp route-lookup

Labels:
0 Helpful
3 Replies 3

kevin_giusti
Level 1
Level 1

‎03-30-2014 07:22 AM

Just a few things to check:

1. Does the far side ASA have a route back to the Any Connnect VPN subnet?

2. Does the far side ASA have a twice NAT configured for the Any Connect subnet?

3. Did you add the Any Connect subnet to the interesting traffic ACL for L2L?

 

Thanks,

Kevin

0 Helpful

pbrunnen
Level 1
Level 1
In response to kevin_giusti

‎03-30-2014 11:43 AM

Hi Kevin,

Thanks for taking the time to help.  It is greatly appreciated.  smiley

 

For Nr. 3, I believe I have that correct... I do see the 192.168.7.0 network appear as a "remote ident" entry in the "sh cry ips sa" output and there are packet encaps listed (no decaps).

 

For Nr. 2, I believe so.  Here is what I have on the lan2lan remote site asa:

object network internal-network
 subnet 192.168.3.0 255.255.255.0

object-group network bcc-int-vpn-nonat
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.7.0 255.255.255.0

 

nat (inside,outside) source static internal-network internal-network destination static int-vpn-nonat int-vpn-nonat no-proxy-arp route-lookup

 

For Nr. 1, I am fairly sure I have this right.  The hosts on the far end 192.168.3.x network all have their local ASA as their default gateway.  I don't have any additional routing setup outside of the "Reverse Route Injection" option in the static l2l cryptomap definition.

 

Things had been working fine before the upgrade...  My suspicion is that I am missing something in the double nat on the 192.168.0.x central ASA...  This whole not having nat exclusions is really been something strange and I still don't fully understand the logic behind it.

 

Sorry I still feel dense with this new nat format.

Thanks!  -Cheers, Peter.

0 Helpful

pbrunnen
Level 1
Level 1

‎04-01-2014 09:28 AM

bump.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents