Nat Issue with IPSEC / AnyConnect

TechDude · ‎10-15-2012

I have a Cisco ASA 5525-X as my primary Firewall, with a second firewall that handles Site to Site VPNs, since getting the new 5525-X I was thinking I would start switching all the tunnels to the 5525-X.

First tunnels was our remote offices, these worked fine, then moved AnyConnect and it worked fine, but the second I put one customer tunnel on it, for some reason remote sites and anyconnect stop working, if i move it back to the other firewall it works fine (Yes Im removing the routes etc).

Seems like a nat issue to me, but not sure what nat rule would be needed as anyconnect and the remote offices can reach the tunnels on the other Firewall via the 5525 but not directly on the 5525 (Yes tunnels updated both ends with customer).

Anyconnect is on same network as primary network, primary network can reach customer sites but anyconnect cant (Its done this way for a reason).

Ideas?

Harish Balakrishnan · ‎10-15-2012

Hello

So basically, the users coming through anyconnect are not able to access customer sites via another VPN tunnel ? i hope you have configured same security permit intra interface command ? it would be great if you can post the configuration of the ASA and the subnet you wanted to reach each other,

Harish.

TechDude · ‎10-15-2012

Think I solved that one with changing the nonat rule from inside - outside to any any outside and now anyconnect client an get to them however vpn clients the same setting isnt changing things for them