Solved: On each ASA you need two of - Page 2

nwest0010 · ‎02-24-2016

I have AnyConnect setup at two locations. There is a fiber point to point between the two locations and they can communicate across it with no issues locally. I want to be able to use AnyConnect to connect to Branch A and then also be able to access resources across the PTP at Branch B. I've tried a few configuration changes with split tunneling but nothing seems to be getting me across. I have attached both ASA configs. Any help would be greatly appreciated!

Site A: 192.168.1.x

Site B: 192.168.200.x

Philip D'Ath · ‎02-25-2016

You are still missing the routes for the VPN pools.

On site 'A' 881 you need:

ip route 10.251.251.0 255.255.255.0 10.10.10.1

On site 'B' 881 you need:

ip route 10.250.250.0 255.255.255.0 10.10.10.2

nwest0010 · ‎02-25-2016

I had tried these previously. I went ahead and put them back in there but I still cannot ping site B when connected to Site A.

Philip D'Ath · ‎02-25-2016

On each ASA you need two of the below lines. One for the local internal lan subnet, and another for the remote lan subnet. IN eahc case it should use the lobal VPN subnet (the pool of addresses).

nat (inside,outside) source static INTERNAL_SUBNET INTERNAL_SUBNET destination static VPN_SUBNET VPN_SUBNET

nwest0010 · ‎02-25-2016

I still cannot ping site B, but it also seems to have broken DNS. I could ping things on Site A but only by IP for some reason. Previously I could ping by name.

Philip D'Ath · ‎02-25-2016

Perhaps post a fresh config for the ASA you are connecting to.

nwest0010 · ‎02-25-2016

Here they are.

Philip D'Ath · ‎02-25-2016

This is getting tricky, as you are switching what you called site A.

In the first post site A has the subnet 192.168.1.x. In the config attached above site A has the subnet 192.168.200.x.

Philip D'Ath · ‎02-25-2016

For the ASA with the IP address 192.168.200.254, change the below ACL has it has two lines in it, instead of 1.

access-list split_tunnel standard permit 192.168.200.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

nwest0010 · ‎02-25-2016

Adding this fixed it. I am able to traverse both sides when connected via Anyconnect. Thank you so much!

Philip D'Ath · ‎02-25-2016

Yay! Please rate and mark as correct those response which helped you. :-)

nwest0010 · ‎02-25-2016

I apologize. I'm getting confused calling them A & B as well. Haha. I've fixed the uploaded configs.

Rohan Padwal · ‎02-25-2016

add below command

same security traffic permit intra-interface

traffic is hair-pinning from one site to another please add this command on ASA terminating the VPN

share the packet tracer output from the VPn terminating ASA

packet-tracer input outside icmp <pool ip > 8 0 <destination IP> detail

and on outside interface allow icmp any any (for testing)

share the output of below command

sh run all sysopt

Rohan Padwal · ‎02-25-2016

Hello

how's the fiber connected ?is it direct IP connectivity or you have a site to site tunnel between site A and site B?

if you have L2L tunnel then you will have to modify the crypto ACLs , if you have IP traffic without encryption then you need to have reverse routes for the VPN POOL traffic on the site B network devices.....eg: as per your config you will need routes for 10.251.251.1/24 pointing to the site A on hop my hop basis ;)

hope that helps

regards

#Rohan

nwest0010 · ‎02-25-2016

It's direct connectivity. From the port on the fiber NID it's plugged into a 881. The ASA has a route pointing the traffic for the remote site to the router.

Rohan Padwal · ‎02-25-2016

when the client is connected to ASA 1 on site A ........from ASA2 on site B are you able to ping the

the client IP eg 10.251.251.1 ?

Anyconnect to fiber site-to-site VPN destination