Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1009
Views
0
Helpful
5
Replies

AnyConnect VPN to access both network via Site-to-Site l2l

bowden.m@itnbeyond.com
Level 1
Level 1

‎05-27-2020 03:29 PM

Greetings,

 

Problem:

I have set up a site-to-site VPN between two sites that works just fine.
VPN User connects to Site A and can access resources but, when connected to Site A they are not able to reach any resources at site B via the Site-To-Site tunnel. How do I add Site B network to allow VPN Users to access both Site A and Site B?

 

Thanks

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎05-28-2020 12:02 AM

You should allowed the  Any connect pool IP addres - in ACL of site to site VPN

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rob Ingram
VIP
VIP

‎05-28-2020 12:45 AM

Hi,

As well as modifying the ACL to define the interesting traffic for the VPN to include the RAVPN IP Poo networks, you will also need to configure the command same-security-traffic permit intra-interface which allows traffic to hairpin, and route back out the same interface it came in on.

 

Also you will probably need a NAT exemption rule, to ensure traffic is not unintentially natted from the RAVPN pool to SITEB networks. E.g:-

 

nat (OUTSIDE,OUTSIDE) source static RAVPN-NETWORKS RAVPN-NETWORKS destination static SITEB-NETWORKS SITEB-NETWORKS

 

The source and destination interface would be the name of the outside interface to which the VPN tunnels are terminated, but may not necessarily be called OUTSIDE.

 

HTH

0 Helpful

bowden.m@itnbeyond.com
Level 1
Level 1
In response to Rob Ingram

‎05-28-2020 09:40 AM

Just to get a clearer understanding I need to add (in this order)

 

1. Any connect pool IP address - add a new ACL for site to site VPN for interesting traffic which is; list below

         (access-list 100 line 1 extended permit ip object SITE A object SITE B ) and (access-list 100 line 1 extended permit ip object VPN_POOL object SITE B)


2. Add command same-security-traffic permit intra-interface (Which is already existing)

 

3. A new  NAT exemption rule

0 Helpful

Rob Ingram
VIP
VIP
In response to bowden.m@itnbeyond.com

‎05-28-2020 10:03 AM

Yes, all of those configuration is required. You ACL seems ok, just make sure the other sites’ vpn is reconfigured to include the Vpn_pool network as well.

0 Helpful

bowden.m@itnbeyond.com
Level 1
Level 1
In response to Rob Ingram

‎05-28-2020 02:19 PM

I have configurated both sides and have done packet traces and both are successfully both ways but still cant hit SITE B from my Any connect client

 

 

Thanks for your help

0 Helpful
Customers Also Viewed These Support Documents