Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1314
Views
0
Helpful
4
Replies

AnyConnect VPN client to Site-To-Site destination

Go to solution
Entry
Level 1
Level 1

‎03-31-2020 11:05 AM

Hi,

 

To begin with, I need to say Im no expert on Cisco so Im sorry for bad explanation.
I have tried to search for the answer and done alot of configuration and testing, but im not able to solve this problem.

I always configure switches via CLI but when configuring ASA I usually do ASDM and some CLI. So ASDM guidance is much apprectiated but if CLI is what you do then I would be more than happy .

 

Problem:
I have set up a site-to-site VPN between two sites that works just fine.
But when a user connects to site A with AnyConnect client, they are not able to reach any resources at site B via the Site-To-Site link.

 

Can someone please take a look at my running config and tell me what is missing?
I've removed almost all the configuration that I used while testing.
Some public names and IP's are changed

 

AnyConnect network/address pool: 10.192.9.100 - 200

Site-To-Site local network (A): 10.192.8.0/24

Site-To-Site local network (B): 10.0.0.0/8

 

Thanks for any help I can get :)

Labels:
Preview file
39 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Entry

‎03-31-2020 12:25 PM

You crypto-map is referencing ACL - "access-list Outside_cryptomap_5 extended permit ip 10.192.8.0 255.255.255.0 object All_CompanyB_Networks" - which doesn't include your RAVPN Pool network as source. You'll need to include that

Also check your split-tunnel and include the remote networks.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-31-2020 11:22 AM

Hi,

You NAT exemption rules would be sourced from "outside" to destination "outside", to enable AnyConnect VPN users to access a site over the Site-to-Site VPN. Try something like this:-

 

nat (OUTSIDE,OUTSIDE) source static NETWORK_OBJ_10.192.9.0_24 NETWORK_OBJ_10.192.9.0_24 destination static All_CompanyB_Networks All_CompanyB_Networks no-proxy-arp

HTH

0 Helpful

Go to solution
Entry
Level 1
Level 1
In response to Rob Ingram

‎03-31-2020 12:06 PM - edited ‎03-31-2020 12:16 PM

Hi RJI,

 

Thanks for the reply.

I've already tested NAT Outside to Outside and it didnt work. I have reconfigured it now and tried to telnet a resouce but its not working (ping to site B is not allowed).

 

Do you or anyone else have any more suggestions?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Entry

‎03-31-2020 12:25 PM

You crypto-map is referencing ACL - "access-list Outside_cryptomap_5 extended permit ip 10.192.8.0 255.255.255.0 object All_CompanyB_Networks" - which doesn't include your RAVPN Pool network as source. You'll need to include that

Also check your split-tunnel and include the remote networks.
0 Helpful

Go to solution
Entry
Level 1
Level 1
In response to Rob Ingram

‎03-31-2020 12:37 PM

Thanks RJI !

 

I had already tested this but when I did a reconfig now, I could see that I had configured the wrong netmask in split tunnel.

 

 

0 Helpful
Customers Also Viewed These Support Documents