Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
0
Helpful
4
Replies

Sending Cisco Anyconnect VPN traffic through an IPSEC tunnel

Go to solution
V Rajshekar
Level 1
Level 1

‎04-28-2018 12:56 PM - edited ‎03-12-2019 05:14 AM

VPN IP Anny Connect (ASDM) : 203.92.X.Y (our Public IP)
Internal IP:192.168.0.1/ 24 (Firewall IP)

Amazon IP Details

1)Amazon VPN gateway IP: 13.126.x
Redundancy
2)Amazon VPN gateway IP: 13.126.x
After to this we are connecting our Amazon link.

Amazon App

http://10.0.1.63:808

 

already have set up VPN with AWS and it is functioning as expected we cross verified the instructions given in the links that you have provided.

The issue we have is to route traffic which is coming from a device connected via an Any connect VPN. Please read in details below.

1) We have set up Remote VPN on the ASA firewall where the end user can get connected and a site to site VPN between the Firewall and AWS.

2) After connecting to the remote VPN, the end user is able to ping any machine running in our office.

3) We are able to ping AWS machines from our office network but when the remote user tries to ping the machines that are running on AWS after connecting to remote VPN, the ping never reaches AWS we cannot access the applicaton on AWS

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-28-2018 06:25 PM

Hi

 

First of all, do your anyconnect clients have full tunnel to your asa of a split tunnel?

 

Then you need to add anyconnect clients ip subnet on vpn crypto acl with AWS.

After, if anyconnect is configured on split tunnel, you need to add AWS local subnet into anyconnect split acl.

 

You also have to make sure traffic within save security level is allowed. Here is the command:

same-security-traffic permit intra-interface

 

And finally, you need to create a nat exemption between your anyconnect subnet and AWS subnet like you did between anyconnect and your local office lan.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-28-2018 06:25 PM

Hi

 

First of all, do your anyconnect clients have full tunnel to your asa of a split tunnel?

 

Then you need to add anyconnect clients ip subnet on vpn crypto acl with AWS.

After, if anyconnect is configured on split tunnel, you need to add AWS local subnet into anyconnect split acl.

 

You also have to make sure traffic within save security level is allowed. Here is the command:

same-security-traffic permit intra-interface

 

And finally, you need to create a nat exemption between your anyconnect subnet and AWS subnet like you did between anyconnect and your local office lan.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
V Rajshekar
Level 1
Level 1
In response to Francesco Molino

‎04-28-2018 11:56 PM

Our VPN is configured for Full Tunnel.

 

Do I need to check something else?

Packet tracer shows being dropped by WEBVPN SRV

 

 

Preview file
82 KB
0 Helpful

Go to solution
V Rajshekar
Level 1
Level 1
In response to V Rajshekar

‎04-29-2018 01:58 AM

We managed to figure out the issue. we needed to include the in SSL VPN acl as well.

 

Thank you for your inputs.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to V Rajshekar

‎04-29-2018 05:15 PM

Ok good it works. You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents