Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
3
Replies

Cannot pass traffic from Anyconnect VPN user through a Site to Site VPN on another ASA

Zane Abbott
Level 1
Level 1

‎12-10-2015 09:01 AM - edited ‎02-21-2020 08:35 PM

Hello, 

I have two ASA's setup at site A; ASA1 has Anyconnect users that connect for remote access. ASA2 has a site to site VPN link with site B. I would like my Anyconnect users on ASA1 to be able to access hosts on the remote side of my site to site VPN on ASA2. To accomplish this, I added the IP space used by Anyconnect clients on ASA1 to the tunnel properties of the site to site VPN on ASA2 (as well as the tunnel properties of the remote VPN device at site B). I also added the subnets of the Anyconnect clients and the remote site B network to the nat statements and routes. 

Here is the relevant configuration of ASA1 (Anyconnect) and ASA2 (Site to Site) at site A:


ASA1:
!
object network net-AzureProd
subnet 10.10.10.0 255.255.254.0
object network 10.20.20-subnet
subnet 10.20.20.0 255.255.252.0
!
access-list split standard permit 10.10.10.0 255.255.254.0
access-list split standard permit 10.10.12.0 255.255.254.0
!
group-policy AnyConnect attributes
wins-server value 10.5.200.20 10.5.200.24
dns-server value 10.5.200.20 10.5.200.24
vpn-idle-timeout 20
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value ***net.com
!
nat (inside,any) source static 10.20.20-subnet 10.20.20-subnet destination static net-AzureProd net-AzureProd no-proxy-arp route-lookup
!
route inside 10.10.10.0 255.255.254.0 10.5.200.252 1
!

ASA2:
!
object network net-AzureProduction
subnet 10.10.10.0 255.255.254.0
object network net-AzureSiteRecovery
subnet 10.10.12.0 255.255.254.0
object network net-Internal
subnet 10.5.0.0 255.255.0.0
object network net-AnyConnectVPN
subnet 10.20.20.0 255.255.252.0
object-group network nets-Azure
network-object object net-AzureProduction
network-object object net-AzureSiteRecovery
object-group network nets-MLS_4205NYC
network-object object net-Internal
network-object object net-AnyConnectVPN
!
access-list acl-vpn-AzureProd extended permit ip object-group nets-MLS_4205NYC object net-AzureProduction
!
crypto map crypto-map-Azure 10 match address acl-vpn-AzureProd
crypto map crypto-map-Azure 10 set peer 2.2.2.2
crypto map crypto-map-Azure 10 set ikev1 transform-set azure-ipsec-proposal-set
crypto map crypto-map-Azure interface outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key *****
!
nat (inside,outside) source static net-AnyConnectVPN net-AnyConnectVPN destination static net-AzureProduction net-AzureProduction no-proxy-arp route-lookup
nat (inside,outside) source static net-MLS_4205NYC net-MLS_4205NYC destination static net-AzureProduction net-AzureProduction no-proxy-arp route-lookup
!
route inside 10.20.20.0 255.255.252.0 10.5.0.2 1

!

Labels:
0 Helpful
3 Replies 3

mrsethi
Cisco Employee
Cisco Employee

‎12-12-2015 12:11 AM

Hi Zane,

>>Going through the description I understand the following:

>>AnyConnect users terminate the VPN on ASA1 and given ip address from pool 10.20.20.0/255.255.252.0

>>The Site to Site VPN tunnel terminates on ASA2 with the following as the source and destination networks given in the crypto ACL and it is correct:

access-list acl-vpn-AzureProd extended permit ip object-group nets-MLS_4205NYC object net-AzureProduction 

source:

10.5.0.0/16

10.20.20.0/22

destination:

10.10.10.0/23

>>As per the route on ASA1 to reach 10.10.10.0/23 network, i believe that the traffic is forwarded to ASA2 .

>>Going through the description, i assume that ASA1 is connected to the inside interface of ASA2.

>>I believe that the AnyConnect VPN is terminating on the outside interface of ASA1.

>>When the AnyConnect user will try to send traffic to 10.10.10.0/23 network, first the traffic will come to ASA1's outside interface and then ASA1 will forward the traffic to ASA2 from the same outside interface , so "same-security-traffic permit intra-interface" command should be enabled on ASA1 so that ASA1 can u-turn the traffic and forward to ASA2.

>>The rest configuration looks good.

Regards,

Mrutunjay Sethi

0 Helpful

Zane Abbott
Level 1
Level 1
In response to mrsethi

‎12-14-2015 10:31 AM

Thanks for your response. 

I believe I already have this setup on my ASA1:

 

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Any other thoughts? 

I keep thinking this could be related to the interfaces in my NAT statement, especially given the traffic flow you mentioned. Right now my NAT's are setup as (INSIDE, ANY) for traffic originating from 10.20.20.0/22 (Anyconnect) subnet. Should this be different?

0 Helpful

mrsethi
Cisco Employee
Cisco Employee
In response to Zane Abbott

‎12-17-2015 11:05 PM

Hi Zane,

The traffic from the AnyConnect will not even enter ASA1 and will get u-turn from the outside interface itself so the nat will not be applied even if it is there.

Could you please send me a topology diagram so that i can provide some more specific suggestions.

Regards,

Mrutunjay Sethi

0 Helpful
Customers Also Viewed These Support Documents