cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1242
Views
0
Helpful
4
Replies

Sending Cisco Anyconnect VPN traffic through an IPSEC tunnel

V Rajshekar
Level 1
Level 1

VPN IP Anny Connect (ASDM) : 203.92.X.Y (our Public IP)
Internal IP:192.168.0.1/ 24 (Firewall IP)

Amazon IP Details

1)Amazon VPN gateway IP: 13.126.x
Redundancy
2)Amazon VPN gateway IP: 13.126.x
After to this we are connecting our Amazon link.

Amazon App

http://10.0.1.63:808

 

already have set up VPN with AWS and it is functioning as expected we cross verified the instructions given in the links that you have provided.

The issue we have is to route traffic which is coming from a device connected via an Any connect VPN. Please read in details below.

1) We have set up Remote VPN on the ASA firewall where the end user can get connected and a site to site VPN between the Firewall and AWS.

2) After connecting to the remote VPN, the end user is able to ping any machine running in our office.

3) We are able to ping AWS machines from our office network but when the remote user tries to ping the machines that are running on AWS after connecting to remote VPN, the ping never reaches AWS we cannot access the applicaton on AWS

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

First of all, do your anyconnect clients have full tunnel to your asa of a split tunnel?

 

Then you need to add anyconnect clients ip subnet on vpn crypto acl with AWS.

After, if anyconnect is configured on split tunnel, you need to add AWS local subnet into anyconnect split acl.

 

You also have to make sure traffic within save security level is allowed. Here is the command:

same-security-traffic permit intra-interface

 

And finally, you need to create a nat exemption between your anyconnect subnet and AWS subnet like you did between anyconnect and your local office lan.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

First of all, do your anyconnect clients have full tunnel to your asa of a split tunnel?

 

Then you need to add anyconnect clients ip subnet on vpn crypto acl with AWS.

After, if anyconnect is configured on split tunnel, you need to add AWS local subnet into anyconnect split acl.

 

You also have to make sure traffic within save security level is allowed. Here is the command:

same-security-traffic permit intra-interface

 

And finally, you need to create a nat exemption between your anyconnect subnet and AWS subnet like you did between anyconnect and your local office lan.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Our VPN is configured for Full Tunnel.

 

Do I need to check something else?

Packet tracer shows being dropped by WEBVPN SRV

 

 

We managed to figure out the issue. we needed to include the in SSL VPN acl as well.

 

Thank you for your inputs.

Ok good it works. You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question