Solved: ASA 5505 8.2 AnyConnect connect to other site-to-site subnets

kbillingham · ‎10-25-2013

Hello,

I am somehwat new to Cisco and routing. I have an installation of two ASA 5505's that are setup for site-to-site vpn as well as AnyConnect. The AnyConnect subnet can connect into the inside vlan at SiteA but I cannot get to the remote subnet at Site B when using AnyConnect. Any ideas? Do I need to add the 10.0.7.0/24 subnet to the site-to-site policy? Do I need to setup more NAT rules? Details below.

Site A: ASA 5505 8.2

Outside: 173.X.X.X/30

Inside: 10.0.5.0/24

AnyConnect: 10.0.7.0/24

Site B: ASA 5505 8.2

Outsdie: 173.X.X.X/30

Inside: 10.0.6.0/24

The AnyConnect subnet cannot access the 10.0.6.0/24 network.

Any help would be greatly appreciated!! Thanks!

Julio Carvajal · ‎10-25-2013

Hello Kevin,

You need to do Identity U-turning ( (outside,outside) Identity NAT basically for both subnets (Anyconnect and Remote_IPSec).

And ofcourse include the traffic in the crypto ACL for the IPSec and in the split tunnel (if used) with the Anyconnect.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

harshisi_2 · ‎10-26-2013

Hi Kevin,

you would need to exempt the traffic coming from anyconnect and going over site to site:

here is the list of changes you need to make with example:

The nat exemption ACL:

ip access-list ext anyconnect_to_site permit ip 10.0.7.0 255.255.255.0 10.0.6.0 255.255.255.0

nat (outside) 0 access-list anyconnect_to_site

======================================

addition on crypto acl on site A:

permit ip 10.0.7.0 255.255.255.0 10.0.6.0 255.255.255.0

========================================

addition of crypto acl on site B

permit ip 10.0.6.0 255.255.255.0 10.0.7.0 255.255.255.0

========================================

if you have implemented split tunnel on anyconnect you need to direct the traffic to asa for 10.0.6.0

access-list permit 10.0.6.0 255.255.255.0

==============================================================

you would also need to implement the following command:

same-security permit-intra-interface

=================================================

I hope this helps,

Regards,

~Harry

View solution in original post

Julio Carvajal · ‎10-25-2013

Hello Kevin,

You need to do Identity U-turning ( (outside,outside) Identity NAT basically for both subnets (Anyconnect and Remote_IPSec).

And ofcourse include the traffic in the crypto ACL for the IPSec and in the split tunnel (if used) with the Anyconnect.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

harshisi_2 · ‎10-26-2013

Hi Kevin,

you would need to exempt the traffic coming from anyconnect and going over site to site:

here is the list of changes you need to make with example:

The nat exemption ACL:

ip access-list ext anyconnect_to_site permit ip 10.0.7.0 255.255.255.0 10.0.6.0 255.255.255.0

nat (outside) 0 access-list anyconnect_to_site

======================================

addition on crypto acl on site A:

permit ip 10.0.7.0 255.255.255.0 10.0.6.0 255.255.255.0

========================================

addition of crypto acl on site B

permit ip 10.0.6.0 255.255.255.0 10.0.7.0 255.255.255.0

========================================

if you have implemented split tunnel on anyconnect you need to direct the traffic to asa for 10.0.6.0

access-list permit 10.0.6.0 255.255.255.0

==============================================================

you would also need to implement the following command:

same-security permit-intra-interface

=================================================

I hope this helps,

Regards,

~Harry