Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
2
Replies

Routing/NAT Issues from Anyconnect to Remote Site-to-Site IPSec

Markus S
Level 1
Level 1

‎03-24-2015 05:59 AM

Hello together,

 

My Name is Markus. I am Network Administrator (CCNA)

Currently I am working on a Issue for few Days, but i cant find an Solution.

I think I have not enough Knowledge to solve this by my own.

 

My Networks are:

Anyconnect Pool: 10.66.66.0/24

Local LAN Network: 172.22.0.0/16

WAN: 80.150.164.42/29

First Remote IPSec Site to Site Tunnel: 192.168.10.0/24

Second Remote IPSec Site to Site Tunnel: 192.168.30.0/24

 

Currently Working:

Any Access from the Anyconnect Remote Client to Local LAN Ressources.

No Connections to Internet or IPSec Tunnel are working from the Anyconnect Client.

The is no active Split-Tunneling Configured.

 

My Goal is:

The Anyconnect Clients should Access the Internet and also Ressources on the Remote IPSec LAN.

 

Actual Errors:

After Trying to Access an Server via RDP in the Remote IPSec LAN:

Teardown TCP connection 6217884 for WAN:10.66.66.22/49175(LOCAL\adm) to WAN:192.168.10.1/3389 duration 0:00:00 bytes 0 Flow is a loopback

 

Currently I have configured the Options:

"Enable trraffic between two or more interfaces which are configured with same security levels"

For both IPSec Connection Profiles there is the NAT Exempt active, for Local LAN and the Anyconnect Pool.

 

 

I hope I have provided enough Information about the Problem and the underlaying Infrastrukture.

 

Thanks for your Help,

Best Regards. -Markus

Labels:
0 Helpful
2 Replies 2

Tushar Bangia
Level 1
Level 1

‎03-30-2015 09:34 AM

The Anyconnect Clients should Access the Internet and also Resources on the Remote IPSec LAN.

 

- To allow anyconnect client to have internet access than make sure you have relevant NAT in place i.e.

 

nat (outside) 10 10.66.66.0 255.255.255.0 ------ ( i.e. VPN Pool)

global (outside) interface

 

 

- And to allow anyconnect client to be able to access resources via site to site vpn (i.e. IPSEC tunnel) than you need to add VPN pool in the crypto ACL.

 

assuming Anyconnect is landing on ASA with LAN 192.168.10.0/24.

 

access-list cryptoacl permit ip 10.66.66.0 255.255.255.0 192.168.30.0 255.255.255.0

 

And on the remote site add below:

access-list cryptoacl permit ip 192.168.30.0 255.255.255.0 10.66.66.0 255.255.255.0

 

Regards,

 

Tushar Bangia

 

Note - Please do rate the post if you find it helpful!!

 

 

 

0 Helpful

rizwanr74
Level 7
Level 7

‎04-04-2015 08:14 AM

Hi Markus,

 

What is your ASA running version?

 

thanks

 

0 Helpful
Customers Also Viewed These Support Documents