Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
0
Helpful
3
Replies

Hairpinning, Anyconnect & site to site issue

Richard Tapp
Level 1
Level 1

‎02-07-2024 03:58 AM

This one has me pulling my hair out, as I already have similar ones working.

So we have a site to site VPN between Cisco ASA and AWS. The requirement is for an Anyconnect user to connect to the firewall and then for the tunnel to the Redshift subnet to be brought up.

I have done this before succesfully with the source AC subnet and it opens another AWS tunnel ok.

So basically with this one, when I log into the BI-IP-Range AC, and RDP to a server in the Redshift subnet, the tunnel does not even attempt to come up.

So for testing I also allowed this from our internal network where the ASA is and this worked OK.

So I think this has to be either NAT or in the DAP ACL in AC. I currently have the ACL open for src 10.37.0.0/16 to 10.180.128.0/21 all IP, so dont think it is the ACL.

Below are the NATs, lines 19 & 20 are the previuosly working ones, 21 is for the AC to Redshift which is not working and 22 is the inside lan to Redshift which is working.

RichardTapp_2-1707306962384.png

 

RichardTapp_1-1707306906391.png

 

 

Labels:
0 Helpful
3 Replies 3

Richard Tapp
Level 1
Level 1

‎02-07-2024 04:18 AM

Right, me being a numpty. I had not add the new subnet to the split tunnel route list

0 Helpful

Karsten Iwen
VIP
VIP
In response to Richard Tapp

‎02-07-2024 04:19 AM

So, now it is working? Or any other problems to solve?

0 Helpful

Richard Tapp
Level 1
Level 1
In response to Karsten Iwen

‎02-07-2024 04:33 AM

Yes thanks all working now

0 Helpful
Customers Also Viewed These Support Documents