Hello Salim,

Many thanks for you`re answer.
I forgot to mention.

1.1.0.0 is the VPN subnet
2.2.0.0 is the local subnet (behind ASA)

NO_NAT_LAN contains both subnets. I have tried with Cisco vpn client (old version).

Access list on ASA that permits traffic from remote location to both subnets.

access-list OUT extended permit ip 10.10.10.0 255.255.255.0 1.1.0.0
access-list OUT extended permit ip 10.10.10.0 255.255.255.0 2.2.0.0

Question: if i can reach the the remote host - 10.10.10.1 - from local subnet, can i "hide" my vpn subnet behind an local ip (nat) in order to reach that ip.
Explained:

( Subnet 1.1.0.0 ) translated into 2.2.2.2 >> to reach remote 10.10.10.1
I don`t know the sintax for that. Maybe Source nat is the concept.

what is the ASA code you on?

ASA Version 9.8. Also, on remote location of the IPSEC TUNNEL, both subnets are permited (local and vpn) in Access list.

could you please forward the configuration of your ASA and remote side change/hide the public ip address.

Hello, other side is not Cisco ASA, is Oracle Cloud. I have no experience on Oracle Cloud, and seems the guy who is managing that equipment has the same experience. But i have looked on his side, and i see logs  from my vpn ip to remote host.

Settings on Oracle cloud are the same on policy and routing ( lan subnet and remote subnet).

object-group network NO_NAT_LAN
network-object 1.1.0.0 255.255.0.0
network-object 2.2.0.0 255.255.0.0
!
object-group network NO_NAT_EXT
network-object 10.10.10.0 255.255.255.0
!
access-list ACL_VPN extended permit ip 1.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list ACL_VPN extended permit ip 2.2.0.0 255.255.0.0 10.10.10.0 255.255.255.0
!
nat (inside,outside) source static NO_NAT_LAN NO_NAT_EXT destin static NO_NAT_LAN NO_NAT_EXT no-proxy-arp route-lookup
!
crypto map OUTSIDE 10 match address ACL_VPN
!

can you share your asa configuration please.

Hello, unfortunelly i cannot post the whole config, it contains a lot a vpn tunnels already configured, and other information.

I have altered the  real ip`s, so it would take me days, to recreate the config, but i have done some more debugging.

2.2.2.20 - Lan ip behind ASA - working
1.1.1.10 - vpn ip through connected to ASA - not working.
10.10.10.1 - remote host through ipsec tunnel vpn

ASA# packet-tracer input outside icmp 2.2.2.20 8 0 10.10.10.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static NO_NAT_LAN NO_NAT_LAN destination static NO_NAT_EXT NO_NAT_EXT
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.10.1/0 to 10.10.10.1/0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA# packet-tracer input outside icmp 1.1.1.10 8 0 10.10.10.1

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NO_NAT1_lan NO_NAT1_lan
Additional Information:
NAT divert to egress interface inside
Untranslate 10.10.10.1/0 to 10.10.10.1/0

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

!older group:
object-group network NO_NAT1_lan
network-object 1.1.0.0 255.255.0.0
network-object 2.2.0.0 255.255.0.0
other network objects...

If i do a packet capture from working subnet, i see echo request and reply. From vpn subnet, only echo request.

can you try this

object network OJB-1.1
HOST 1.1.1.10
!
nat (outside,inside) source dynamic OJB-1.1 2.2.0.1 destin static NO_NAT_EXT NO_NAT_EXT

Hi Salim,

Thank you for you`re effort.
I am not sure if you`re NAT line is correct. I think you ment:
nat (outside,inside) source dynamic OJB-1.1 OJB-1 destin static NO_NAT_EXT NO_NAT_EXT
I cannot add an ip (2.2.0.1) only an object.
But i did tried that , and no luck. I`m guessing that i might have a problem with ASA`s famous U-Turn or hairpinning.
I think that traffic is comming from ASA`s outside interface (VPN client), then it tries to reach remote host 10.10.10.1 via IPSEC tunnel through the same outside interface.
I also tried this:

access-list TCP-STATE-BYPASS permit ip 1.1.0.0 255.255.255.0 host 10.10.10.1

class-map TCP-STATE-BYPASS
match access-list TCP-STATE-BYPASS

policy-map inside_policy
class TCP-STATE-BYPASS
set connection advanced-options tcp-state-bypass
service-policy inside_policy interface inside

https://community.cisco.com/t5/security-documents/u-turning-hairpinning-on-asa/ta-p/3111388
No luck

Sorry its my fault i did not explain.

Correct me if i am getting it right. you have anyconnect client in rage of 1.1.1.x connected to ASA. and From ASA you have a vpn-tunnel site-2-site at remote end and remote-end ip range is 10.10.10.x. I also noted you have a subnet connected/behind ASA 2.2.2.x.

if this above network is right. the problem is your anyconnect (vpn client) could not reach the remote tunnel. this could be a cause of NAT rules.

if you anyconnect traffic is landing to ASA it can access the local netwrok (2.2.2.x) as you have define a nat rule. now 2.2.2.x need to access the site-to-site vpn at remote end. for this you need to define a NAT rule for vpn-client (anyconnect) to communicate to remote tunnel network.

I propose if you use a one ip from 2.2.2.x which is not used anywhere so you can fine tune the anyconnect pool to convert into 2.2.2.30 so this 2.2.2.30 can communicate it to remote site tunnel.

so the command should be like this way.

nat (outside,inside) source dynamic ANYCONNECT-POOL OBJ-2.2.2.30 destin static REMOTE-VPN-SUBNET REMOTE-VPN-SUBNET

Looking at your nat configuration and packet tracer it shows the asa is doing the nat exemption. but you need to speak to your remote side to make sure the remote end allow yours vpn-clients to communnicate with their local network range.

Thank you Salim for you`re help. I`ve forwarded the problem to remote location to check they`re settings...