Showing results for 
Search instead for 
Did you mean: 

ASA 8.4 RA VPN Routing issues


We currently have a 5510 located in our datacenter and a number of edge devices (5505 and Checkpoint) at various client sites which have LAN-LAN VPNs back to the 5510 to access services (hub-spoke).  We also provide SSL VPN to our 5510 using AnyConnect to access remotely.

We've allowed users the ability to route to their 'home' 5505 ASA through our 5510.  Thus when someone logs in to our 5510 at the datacenter they can reach their offices LAN as well over the RA connection (the 5510 routing those packets to the respective 5505).

This all seemed to work fine with our Checkpoints and pre-8.4.4 5505s but for some reason now we cannot get the packets to route from the 5510 to any of the 8.4.4 5505s.

Here is a config from one of the 5505s related to VPN and RA connectivity:

object-group network DATACENTER-NETS

network-object object SERVICES-NET

network-object object RA-NET

access-list SERVICES-VPN-ACL extended permit ip object LOCAL-NET object-group DATACENTER-NETS

nat (inside,any) source static LOCAL-NET LOCAL-NET destination static DATACENTER-NETS DATACENTER-NETS no-proxy-arp route-lookup

crypto map services_map 2 match address SERVICES-VPN-ACL

crypto map services_map 2 set peer

crypto map services_map 2 set ikev1 transform-set secondaryset

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

ikev1 pre-shared-key *****

Thus when the user logs into our 5510 using AnyConnect they are assigned an IP from the respective pool (RA-NET) which is part of DATACENTER-NETS object group.  The users can hit SERVICES-NET just fine (5510) but when they try to get to LOCAL-NET (i.e, clients LAN) it fails. 

This all seemed to be working fine (even on our 8.4.1 5505s) until we installed a couple new ASAs w/ 8.4.4

Any help on this is much appreciated!


Everyone's tags (2)