Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1550
Views
5
Helpful
2
Replies

Anyconnect clients cannot reach remote S2S NAT-T subnets

Go to solution
becfip
Level 1
Level 1

‎07-29-2019 05:10 AM - edited ‎02-21-2020 09:42 PM

Hi to all,

 

i have three interfaces on ASA:

INSIDE (172.16.x.x headquaters)

OUTSIDE (192.168.20 - 40.x - Anyconnect SSL and S2S NAT-T IPsec certificate)

VPNINET (192.168.1 - 15.x - S2S IPsec with static IP)

 

Anyconnect client cannot reach S2S NAT-T IPsec subnets on OUTSIDE interface but subnets S2S IPsec on VPNINET interface are reachable.

From INSIDE i can reach all subnets all subnets can reach INSIDE.

 

I've enabled both:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

Im trying to find somethink on forum, but still no luck.

 

Thanks a lot.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-29-2019 05:19 AM

Please check the following:

1. Confirm you are either using tunnelall option or are specifying the problem subnets in your split tunnel ACL for the VPN clients.

2. Either way, you need an outside,outside NAT exemption for the VPN client traffic to the remote subnets

3. The VPN client subnet must be included in the crypto map ACL so that there is an IPsec SA created for VPN subnets to remote subnets.

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-29-2019 05:19 AM

Please check the following:

1. Confirm you are either using tunnelall option or are specifying the problem subnets in your split tunnel ACL for the VPN clients.

2. Either way, you need an outside,outside NAT exemption for the VPN client traffic to the remote subnets

3. The VPN client subnet must be included in the crypto map ACL so that there is an IPsec SA created for VPN subnets to remote subnets.

Go to solution
becfip
Level 1
Level 1
In response to Marvin Rhoads

‎07-29-2019 06:38 AM

Hi Marvin,

thanks for advice.
Add outside, otside NAT and it works.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents