Re: VPN through a second tunnel

WonderfulIT · ‎07-12-2019

Hi all,

We've got an ASA and have setup Anyconnect to that site (in the UK) and it works fine for users dialling in from home. The UK ASA has a site to site VPN to a USA site which we can route through if connected into the LAN at the UK side but we can't get access to the services on the USA side if we VPN in with Anyconnect to the UK side (i.e we can only get access to the USA side if plugged directly into the lan)?

Should this work or if not is there anything i can check/change to allow this ?

Thanks

GRANT3779 · ‎07-12-2019

Initial thoughts would be NAT related or potential routing.

Does the USA site have routing for the VPN subnet across the S2S VPN?

Do you have the relevant "No Nat" for this traffic?

I'm assuming the S2S VPN is built across the same Outside interface as Anyconnect comes into, so essentially traffic will be hairpinning.

If you are able to share the config it would help pin point the issue.

balaji.bandi · ‎07-12-2019

Make sure your VPN IP network range allowed in the USA and UK site to site VPN interesting traffic ACL.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Narayan Dev Sarma · ‎07-12-2019

Please check anyconnect profile with the interested traffic. You can try with packet tracer on that ASA.

GRANT3779 · ‎07-12-2019

Just to summarize what has been put forward from us -

Check Split Tunneling for Anyconnect (if used). Are the USA Subnets included.
Do you have a "No Nat" configured for the Anyconnect subnet / traffic to the USA and vice versa.
Is the Anyconnect subnet included in the interesting traffic for the S2S VPN
Does the USA have routing to the Anyconnect Subnet