03-28-2014 04:46 PM - edited 02-21-2020 07:34 PM
Hello all,
I am suck and could use some assistance here. I have a very similar question as here, but I am on version 9.1(2).
It had been working prior with v8.2 (we recently upgraded).
So we have two lan-to-lan vpns established and both remote sites can access each-other's resources. The client based vpn users however can not (neither IPSec client or anyconnect).
We created a network object group as shown below and did the double-nat statment, but that doesn't seem to have helped. The remote networks are in the split-tunnel of the client.
Any thoughts would be greatly appreciated.
Thanks! -Cheers, Peter.
192.168.1.0 = main site (inside of asa)
192.168.1.0 = remote a (isr851 w/ ezvpn network extension mode)
192.168.3.0 = standard lan to lan vpn tunne
192.168.7.0 = IP pool of IPSec/Anyconnect clients
object-group network int-vpn-nonat
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
nat (Outside-MetroE,Outside-MetroE) source static int-vpn-nonat int-vpn-nonat destination static int-vpn-nonat int-vpn-nonat no-proxy-arp route-lookup
03-30-2014 07:22 AM
Just a few things to check:
1. Does the far side ASA have a route back to the Any Connnect VPN subnet?
2. Does the far side ASA have a twice NAT configured for the Any Connect subnet?
3. Did you add the Any Connect subnet to the interesting traffic ACL for L2L?
Thanks,
Kevin
03-30-2014 11:43 AM
Hi Kevin,
Thanks for taking the time to help. It is greatly appreciated.
For Nr. 3, I believe I have that correct... I do see the 192.168.7.0 network appear as a "remote ident" entry in the "sh cry ips sa" output and there are packet encaps listed (no decaps).
For Nr. 2, I believe so. Here is what I have on the lan2lan remote site asa:
object network internal-network
subnet 192.168.3.0 255.255.255.0
object-group network bcc-int-vpn-nonat
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
nat (inside,outside) source static internal-network internal-network destination static int-vpn-nonat int-vpn-nonat no-proxy-arp route-lookup
For Nr. 1, I am fairly sure I have this right. The hosts on the far end 192.168.3.x network all have their local ASA as their default gateway. I don't have any additional routing setup outside of the "Reverse Route Injection" option in the static l2l cryptomap definition.
Things had been working fine before the upgrade... My suspicion is that I am missing something in the double nat on the 192.168.0.x central ASA... This whole not having nat exclusions is really been something strange and I still don't fully understand the logic behind it.
Sorry I still feel dense with this new nat format.
Thanks! -Cheers, Peter.
04-01-2014 09:28 AM
bump.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide