So this has been going on for weeks now, I have a client that we set up with two ASA 5506's to add to the one that they already had configured. All 3 are in separate physical locations, site to site VPN's are established and working.
All three ASA's are also configured for remote VPN clients, and all of them can be accessed via Anyconnect, IPSec client, etc. and gain access to the network behind whichever ASA they connect to.
However, when connected via VPN clients cannot connect to the other sites, in other words they can't use the site to site VPN tunnels from their client. If they were to ssh into a machine on the internal network, they could then access remote machines via the site to site VPN, hence the site to site VPN's work fine for anything coming from the internal networks.
Hairpinning is enabled, however I've been troubleshooting this for more hours than I can even remember, and have spent a little time with Cisco support whose suggestions have not helped either up to this point (have been unable to get in touch with them today, will continue trying). This is such a time critical thing and has been going on for so long with no end in sight, that I'm desperately looking for help anywhere I can get it at this point, hence the post.
Here's what I think are relevant pieces of the config on the one ASA I'm trying to get working (it's not being used so I can work on it without fear of disrupting anyone).:
Inside network (Site1): 192.168.0.0
VPN/Anyconnect pool (Site1): 192.168.1.0
Remote Network (Site2): 192.168.2.0
same-security-traffic permit intra-interface
access-list Split_Tunnel extended permit ip object-group SplitTunnel any
object-group network SplitTunnel
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
access-list L2LSite1ToSite2 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list L2LSite1ToSite2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
I "think" this is the important stuff regarding my issue, if you need more of the config I'm happy to provide more. Essentially the only thing Cisco support has suggested so far was adding the above nat (outside,outside) statement, as I did not have that in there initially. Unfortunately it didn't fix the issue, but it needed to be in there I guess.