Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
5
Helpful
3
Replies

Anyconnect VPN routing issue

zjimenez07
Level 1
Level 1

‎12-09-2021 12:36 PM

Hello,

We have users connecting through the Cisco AnyConnect client to an ASA.  Those users are getting an address in the 172.30.13.0/24 subnet which is only for the VPN clients.  The ASA is at 172.22.13.253, connected to a core switch at 172.22.13.254.  There is a VPN to another site through a separate firewall (172.22.13.245) that we are try to get through to ultimately talk to a server on a 10.10.0.0/24 network.  The connected client does not seem to be able to send traffic over that VPN.  We have tested while connected to the VPN client and we can ping through the core but we can not ping the 172.22.13.245 firewall and of course since that’s where the site to site terminates we cant get over it.  We have tried adding static routes to just about everything but the ASA itself.

Labels:
3 Replies 3

Rob Ingram
VIP
VIP

‎12-09-2021 12:53 PM

@zjimenez07

Do you have a NAT exemption rule to ensure traffic from the RAVPN network is not unintentially translated?

 

Can you provide your configuration?

 

Is the RAVPN network 172.30.13.0/24 defined in the crypto ACL that permits traffic over the VPN? This needs to be mirrored on the peer device as well.

 

Can you run the packet-tracer from the CLI - "packet-tracer input <outside int name> icmp 172.30.13.192 8 0 10.10.0.55" and provide the output.

0 Helpful

zjimenez07
Level 1
Level 1
In response to Rob Ingram

‎12-09-2021 01:45 PM

@Rob Ingram Let me preface this by stating I inherited this network and its a bit beyond my scope of knowledge.

 

1.Do you have a NAT exemption rule to ensure traffic from the RAVPN network is not unintentially translated?

not that im aware of

2. Can you provide your configuration?

Is there a specific section you are wanting to see?

 

3. Is the RAVPN network 172.30.13.0/24 defined in the crypto ACL that permits traffic over the VPN? This needs to be mirrored on the peer device as well. 

The other VPN goes through a different brand of firewall and it is defined in the tunnels, yes. 

 

4. Can you run the packet-tracer from the CLI - "packet-tracer input <outside int name> icmp 172.30.13.192 8 0 10.10.0.55" and provide the output.

    We are using the ASDM to configure the ASA. Would this be the Packet Capture Wizard?

0 Helpful
Customers Also Viewed These Support Documents