04-29-2020 08:16 AM
Hi
I have a Lan to Lan tunnel on one interface connected to a hosted environment, and all my VPN users come in via a different interface. Both interfaces external facing, both security 0.
My problem is this: Users on my LAN can access the hosted environment fine through the Lan to Lan tunnel however my Anyconnect VPN users can't. I've seen other topics mention VPN hairpinning and my config is setup to allow this however I don't believe this is my issue as both interfaces are separate.
I think it may be something to do with routing or VPN flow as if i use the packet tracer tool and pick one of my Anyconnect IP addresses that isn't in use it suggests that the packet is allowed, however if i pick an Anyconnect IP address in use (my own for example) then it claims the packet is dropped.
Solved! Go to Solution.
05-13-2020 08:13 AM
Finally sorted this one.
It turned out to be a missing PAT statement for traffic originating from the OUTSIDE interface, I.E. Anyconnect users.
For some reason i had it in my head that they would originate from the INSIDE once they connect to the VPN. It was the Packet tracer that suddenly made the lightbulb go on for me.
04-29-2020 08:30 AM
04-29-2020 08:41 AM
Hi
Thanks for responding - both interfaces security 0.
The nat is more complex as for the Lan to Lan tunnel we're having to do static Nat for server resources on our side due to overlapping network address space within the hosted environment.
For users on our side (including VPN client users) we have a PAT rule setup to a single IP address within the agreed Nat subnet. This works fine for users on the LAN but not for Anyconnect VPN users
04-29-2020 09:48 AM
04-30-2020 12:12 AM
Hi
The PAT rule works for other networks (LAN based) but not the Cisco Anyconnect trafffic so i'm sure it's something to do with that. I've tried moving it to the top of the list but no joy.
The PAT addresses are included in the ACL for the L2L VPN.
If you do a packet tracer it shows the packet getting through as long as the IP Address isn't allocated to an Anyconnect user. If the IP address is in use it fails. I wondered if it was something to do with the automatic route advertisement for Anyconnect IP addresses but not sure how this works.
05-13-2020 08:13 AM
Finally sorted this one.
It turned out to be a missing PAT statement for traffic originating from the OUTSIDE interface, I.E. Anyconnect users.
For some reason i had it in my head that they would originate from the INSIDE once they connect to the VPN. It was the Packet tracer that suddenly made the lightbulb go on for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide