cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
352
Views
0
Helpful
2
Replies

AnyConnect Client to another Remote VPN LAN - Remote to AnyConnect works, AnyConnect to Remote does not

stownsend
Level 2
Level 2

Head End:Cisco ASA 5525-X - 9.4(1)

Remote Site A: Cisco ASA5506 - 9.5(1)

Remote Site B: Cisco ASA5506 - 9.2.4(18)

AnyConnect Client: iPad v4.0.05066

I want to be able to Connect to the Remote Site from the AnyConnect Client. from the Remote site I can Ping the IP address of the iPad's VPN Connection and it pings fine. Turn off the VPN and the Ping Dies.  I Only have the iPad at this point to Test. So I am limited to what I can initiate from the remote site to the AnyConnect Client. 

From the AnyConnect Client to the HQ site works great, though any Pinging, RDP, or anything that Originates from the AnyConnect Client to the Remote site fails. 

Remote Site A and Remote site B can both ping back and forth. 

I'm sure its part of the Crypto Access Lists that are not right, though I can't tell if I'm not getting let in at the remote sites, or if the Head end is blocking it from going out. or If its a NAT thing or?

I thought about posting configs and having someone point out my obvious mistakes, though I want to get better at debugging this kind of stuff. What are some good debug commands to see where this connection is failing?

Thank you,

  Scott<-

2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

I would start with packet-tracer to see what the ASA does with the packet when it comes in from the Anyconnect client headed toward the remote site. The command would be something like this:

packet-tracer input outside icmp <anyconnect ip> 8 0 <remote lan ip> detailed

Note that since the packet-tracer is not vpn aware, it wil simulate the packet as coming into the outside interface in the clear - so it will check outside ACL. Temporarily exempt this traffic from ACL for running this command. VPN traffic is bypassed from this ACL  by default.

You may also want to check the "show crypto ipsec sa peer x.x.x.x | in iden|caps:" output. Will show you how many packets are being encrypted encrypted per peer.

I am assuming that your AnyConnect and the site 2 site VPN terminates on the same outside (internet) interface? And AnyConnect has split-tunneling configured?

If this is the case then you need to check the following:

  • check that the remote site subnets are permitted in the split-tunnel ACL
  • check that the site 2 site crypto ACL at the HQ has the AnyConnect subnet defined as a source subnet.
  • check that the remote site 2 site crypto ACL has the AnyConnect subnet as a destination subnet.
  • make sure you have same-security-traffic permit intra-interface configured
  • If the ASA at HQ is also the internet gateway, make sure you have identity NAT / NAT exempt configured with source and destination interface as outside (or whichever name the interface has). also remember to add route-lookup on the NAT statement.

If you are tunneling all traffic check the same things but then you also need to check routing.  Chances are that you might need to add a static route for the remote site subnet to point out the outside interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: