Solved: Access second office in site to site VPN and VPN client

blin · ‎07-25-2018

The client has a site to site VPN connecting two offices. When owner uses VPN client establishing connection to one of office (OfficeA), he can't RDP to the servers in second office (OfficeB). I assume we need to add NAT and access list, but don't know how to do it. I know little about ASDM. Attached is the configuration file. Any help will be appreciated.

Troy Jackson · ‎07-25-2018

This sounds like a routing/config issue. You will need to check and see if office B is sending the return traffic (Anyconnect 10.100.1.X/24) from the servers back to the tunnel. Also, you will need to add the Anyconnect subnet (10.100.1.X/24) to crypto-map ACL at both sides of the tunnel office A and B. As for NAT, you can add exempt statements to the office B side for servers to reach the Anyconnect user.

example:

-- office A --

access-list outside_cryptomap_1 extended permit ip 10.100.1.0 255.255.255.0 192.168.0.0 255.255.255.0

-- office B --

object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0

object network anyconnect-network
subnet 10.100.1.0 255.255.255.0

access-list <name of crypto acl> extended permit ip 192.168.0.0 255.255.255.0 10.100.1.0 255.255.255.0

nat (inside,any) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static anyconnect-network anyconnect-network no-proxy-arp route-lookup

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

View solution in original post

Troy Jackson · ‎07-25-2018