02-24-2016 02:13 PM - edited 02-21-2020 08:42 PM
I have AnyConnect setup at two locations. There is a fiber point to point between the two locations and they can communicate across it with no issues locally. I want to be able to use AnyConnect to connect to Branch A and then also be able to access resources across the PTP at Branch B. I've tried a few configuration changes with split tunneling but nothing seems to be getting me across. I have attached both ASA configs. Any help would be greatly appreciated!
Site A: 192.168.1.x
Site B: 192.168.200.x
Solved! Go to Solution.
02-25-2016 11:10 AM
You are still missing the routes for the VPN pools.
On site 'A' 881 you need:
ip route 10.251.251.0 255.255.255.0 10.10.10.1
On site 'B' 881 you need:
ip route 10.250.250.0 255.255.255.0 10.10.10.2
02-25-2016 11:20 AM
I had tried these previously. I went ahead and put them back in there but I still cannot ping site B when connected to Site A.
02-25-2016 11:28 AM
On each ASA you need two of the below lines. One for the local internal lan subnet, and another for the remote lan subnet. IN eahc case it should use the lobal VPN subnet (the pool of addresses).
nat (inside,outside) source static INTERNAL_SUBNET INTERNAL_SUBNET destination static VPN_SUBNET VPN_SUBNET
02-25-2016 11:38 AM
I still cannot ping site B, but it also seems to have broken DNS. I could ping things on Site A but only by IP for some reason. Previously I could ping by name.
02-25-2016 11:39 AM
Perhaps post a fresh config for the ASA you are connecting to.
02-25-2016 11:52 AM
02-25-2016 11:52 AM
This is getting tricky, as you are switching what you called site A.
In the first post site A has the subnet 192.168.1.x. In the config attached above site A has the subnet 192.168.200.x.
02-25-2016 11:56 AM
For the ASA with the IP address 192.168.200.254, change the below ACL has it has two lines in it, instead of 1.
access-list split_tunnel standard permit 192.168.200.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
02-25-2016 12:08 PM
Adding this fixed it. I am able to traverse both sides when connected via Anyconnect. Thank you so much!
02-25-2016 12:21 PM
Yay! Please rate and mark as correct those response which helped you. :-)
02-25-2016 11:58 AM
I apologize. I'm getting confused calling them A & B as well. Haha. I've fixed the uploaded configs.
02-25-2016 11:40 AM
add below command
same security traffic permit intra-interface
traffic is hair-pinning from one site to another please add this command on ASA terminating the VPN
share the packet tracer output from the VPn terminating ASA
packet-tracer input outside icmp <pool ip > 8 0 <destination IP> detail
and on outside interface allow icmp any any (for testing)
share the output of below command
sh run all sysopt
02-25-2016 09:13 AM
Hello
how's the fiber connected ?is it direct IP connectivity or you have a site to site tunnel between site A and site B?
if you have L2L tunnel then you will have to modify the crypto ACLs , if you have IP traffic without encryption then you need to have reverse routes for the VPN POOL traffic on the site B network devices.....eg: as per your config you will need routes for 10.251.251.1/24 pointing to the site A on hop my hop basis ;)
hope that helps
regards
#Rohan
02-25-2016 09:27 AM
It's direct connectivity. From the port on the fiber NID it's plugged into a 881. The ASA has a route pointing the traffic for the remote site to the router.
02-25-2016 09:49 AM
when the client is connected to ASA 1 on site A ........from ASA2 on site B are you able to ping the
the client IP eg 10.251.251.1 ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide