Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2317
Views
0
Helpful
5
Replies

AnyConnect VPN users to site to site VPN to AWS

Go to solution
kajumblies15
Level 1
Level 1

‎08-17-2021 04:38 AM

Hello, 

I have a scenario I am trying to troubleshoot for a customer. They have remote users that come into a corporate location via Cisco AnyConnect Remote access VPN. They use the outside interface of the ASA to establish the remote access connection for those users. There is also a site to site VPN tunnel going to an AWS VPC that also uses the outside interface. What I need help figuring out is how to allow the users to be allowed to go through the IPSEC site to site tunnel and access resources with in the VPC. I need some high level assistance with where I should start to look and if this is a NAT issue or ACL is missing. Please help!!

 

Thank You 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-17-2021 04:56 AM

@kajumblies15 

If you want the users to enter and exit back out the same interface, you'll need to configure same-security-traffic permit intra-interface and you'll also need a NAT exemption rule. Where the source and destination interface is "outside".

 

nat (outside,outside) source static RAVPN RAVPN destination static VPN VPN

Any problems please run packet-tracer from the CLI and provide the output for review.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎08-17-2021 04:56 AM

@kajumblies15 

If you want the users to enter and exit back out the same interface, you'll need to configure same-security-traffic permit intra-interface and you'll also need a NAT exemption rule. Where the source and destination interface is "outside".

 

nat (outside,outside) source static RAVPN RAVPN destination static VPN VPN

Any problems please run packet-tracer from the CLI and provide the output for review.

0 Helpful

Go to solution
kajumblies15
Level 1
Level 1
In response to Rob Ingram

‎08-19-2021 09:22 AM

Rob, 

Thanks so much for the reply. The VPN VPN portion of the command listed above is that the Site to Site VPN outside IP?

Thank You

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to kajumblies15

‎08-19-2021 09:30 AM

@kajumblies15 

The"VPN" object represents the network(s) of the remote resources over the IPSec tunnel, not the outside IP address.

Also the "RAVPN" object represents the Remote Access VPN IP address pool network.

 

 

 

0 Helpful

Go to solution
kajumblies15
Level 1
Level 1
In response to Rob Ingram

‎08-19-2021 09:51 AM

Rob, 

Thank You. I create the NAT rule and already had the intra-interface command on the ASA. The NAT Rule doesn't seem to do anything. I can connect with the RAVPN get an IP from the Pool but not sure how to make that IP go through the IPSec Tunnel. I can attach a config if needed. 

Thank You

 

0 Helpful

Go to solution
kajumblies15
Level 1
Level 1
In response to kajumblies15

‎08-19-2021 09:59 AM

Rob, 

Disregard the last reply. The NAT Rule Worked Perfectly i just needed to input the correct pool. An oversight on my end. 

Thank You so much!!!!!

0 Helpful
Customers Also Viewed These Support Documents