11-19-2018 04:44 PM - edited 02-21-2020 09:30 PM
We recently transitioned all of our policy-based site-2-site VPNs over to route-based VPNs using VTIs. The new VTI configuration for site-2-site VPNS works so slick. However, we can't get the AnyConnect VPN clients access to the downstream locations with this new configuration.
We have a hub-n-spoke site-2-site VPN design with 1 central office and about 20 remote sites. The AnyConnect clients terminate on the central office ASA. The site-2-site VPNs work great and routing between them works. The AnyConnect VPN clients can connect and access resources local to the central office, but cannot access anything over the site-2-site VPNs.
After hours of searching and head scratching we still cannot get it to work. The most promising resource we found was this community post, which describes the configuration for policy-based VPNs. Unfortunately, we still haven't been able to get it working.
Since there are no crypto-maps, access-lists and NAT statements for VTIs, the relevant central ASA VPN config is best represented as:
## Site-to-Site Tunnel Config interface Tunnel1 nameif Site-to-Site-VPN ip address 169.254.225.1 255.255.255.252 tunnel source interface outside tunnel destination 111.111.111.111 tunnel mode ipsec ipv4 tunnel protection ipsec profile Site-to-Site-VPN-Profile route Site-to-Site-VPN 192.168.2.0 255.255.255.0 169.254.225.2 1 crypto ipsec ikev2 ipsec-proposal L2L-VPN-AES-GCM-256 protocol esp encryption aes-gcm-256 protocol esp integrity null crypto ipsec profile Site-to-Site-VPN-Profile set ikev2 ipsec-proposal L2L-VPN-AES-GCM-256 set pfs group24 set security-association lifetime seconds 28800 crypto ikev2 policy 1 encryption aes-gcm-256 integrity null group 24 prf sha512 lifetime seconds 28800 group-policy Site-to-Site-VPN-Policy internal group-policy Site-to-Site-VPN-Policy attributes vpn-tunnel-protocol ikev2 tunnel-group 111.111.111.111 type ipsec-l2l tunnel-group 111.111.111.111 general-attributes default-group-policy Site-to-Site-VPN-Policy tunnel-group 111.111.111.111 ipsec-attributes isakmp keepalive threshold 60 retry 5 ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ## AnyConnect VPN Config object network Office-Network subnet 192.168.1.0 255.255.255.0 object network Remote-Office-Network subnet 192.168.2.0 255.255.255.0 object network NETWORK_OBJ_192.168.100.0_25 subnet 192.168.100.0 255.255.255.128 access-list AnyConnect_Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0 access-list AnyConnect_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0 nat (outside,inside) source static NETWORK_OBJ_192.168.100.0_25 NETWORK_OBJ_192.168.100.0_25 destination static Office-Network Office-Network no-proxy-arp route-lookup nat (outside,outside) source static NETWORK_OBJ_192.168.100.0_25 NETWORK_OBJ_192.168.100.0_25 destination static Remote-Office-Network Remote-Office-Network no-proxy-arp route-lookup group-policy RemoteUserVPN-Policy internal group-policy RemoteUserVPN-Policy attributes wins-server none dns-server value 192.168.1.10 192.168.1.11 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value AnyConnect_Split_Tunnel_List default-domain value abc.com split-tunnel-all-dns disable tunnel-group RemoteUserVPN type remote-access tunnel-group RemoteUserVPN general-attributes address-pool VPNUser-Pool authentication-server-group AD-LDAP default-group-policy RemoteUserVPN-Policy password-management same-security-traffic permit intra-interface
I've summarized and generalized as much as I could, but hopefully it still provides enough information for someone to help diagnose the issue.
Any help is greatly appreciated!
11-19-2018 05:03 PM
15 mins after posting this, I finally figured out the issue. It didn't have anything to do with the either VPN configuration, but rather our default NAT statement. It was too broad. Focusing the NAT statement to only the local network and inside interface resolved the routing issues.
Unfortunately, I could not find a way to delete my post.
04-12-2022 09:00 PM
My last NAT statement was Any Outside. Changing it to Inside Outside Fixed the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide