02-13-2023 08:47 AM
Hello all,
I'm a little stumped, I have a 5525x with 2 ISPs and a MPLS. I previously had Anyconnect on ISP1 (Outside) and VPN connections to my other sites (this is a datacenter) going through ISP 2 (BackupInternet). Users could connect to the VPN and connect to remote sites over the site to site VPNs terminating on ISP2.
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
etc....
Due to some carrier issues, I had to flip the site to site VPN to go out ISP 1 (Outside). Anyconnect users could now not connect to the remote sites (most likley a reverse path violation?). My solution was to move the anyconnect to the backup internet
webvpn
enable BackupInternet <- only change
hsts
enable
max-age 31536000
In routing my default route has never changed and has been out ISP 1. in order to get my users to connect to anyconnect, i need to add a specific host route to their home public IP. Users can now connect to anyconnect on backupInternet, however no internal resources are reachable. I've been thinking of this all weekend and can't figure out the issue.
note both ISPs had a security level of 0. i tried switching ISP 2 to security level 10. this made no difference however. Any suggestions would be appreciated. if something is unclear, please ask and I'm more than happy to explain further.
Solved! Go to Solution.
02-13-2023 10:41 AM - edited 02-13-2023 10:50 AM
@Scott Whitney you probably need a NAT exemption rule to/from that new interface - depending if there are other NAT rules for that new interface that may unintentially be translating the traffic.
nat (inside,BackupInternet) source static LAN LAN destination static RAVPN RAVPN
If that doesn't work run packet-tracer to simulate the traffic flow, please provide the output for review.
02-13-2023 10:28 AM
Can you post more config bits, and some logs here for us to review?
After you move site to site towards ISP1, is any connection working as expected? and site-to-site failing? or both not working?
02-13-2023 10:57 AM
the site to site tunnels work as expected. I think the Rob may be onto something though, will respond there
02-13-2023 10:41 AM - edited 02-13-2023 10:50 AM
@Scott Whitney you probably need a NAT exemption rule to/from that new interface - depending if there are other NAT rules for that new interface that may unintentially be translating the traffic.
nat (inside,BackupInternet) source static LAN LAN destination static RAVPN RAVPN
If that doesn't work run packet-tracer to simulate the traffic flow, please provide the output for review.
02-13-2023 11:07 AM
@Rob Ingram Thank you, you were 100% right. I had that entry but for outside. removed outside, added backup, up 100%.
thank you both for chipping im
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide