ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
392
Views
0
Helpful
4
Replies
Highlighted
Beginner

VPN through a second tunnel

Hi all,

 

We've got an ASA and have setup Anyconnect to that site (in the UK) and it works fine for users dialling in from home. The UK ASA has a site to site VPN to a USA site which we can route through if connected into the LAN at the UK side but we can't get access to the services on the USA side if we VPN in with Anyconnect to the UK side (i.e we can only get access to the USA side if plugged directly into the lan)? 

Should this work or if not is there anything i can check/change to allow this ?

 

Thanks

4 REPLIES 4
Highlighted
Frequent Contributor

Re: VPN through a second tunnel

Initial thoughts would be NAT related or potential routing.

Does the USA site have routing for the VPN subnet across the S2S VPN?

Do you have the relevant "No Nat" for this traffic?

I'm assuming the S2S VPN is built across the same Outside interface as Anyconnect comes into, so essentially traffic will be hairpinning.

If you are able to share the config it would help pin point the issue.
Highlighted
VIP Mentor

Re: VPN through a second tunnel

Make sure your VPN IP network range allowed in the USA and UK site to site VPN interesting traffic ACL.

 

BB
*** Rate All Helpful Responses ***
Highlighted

Re: VPN through a second tunnel

Please check anyconnect profile with the interested traffic. You can try with packet tracer on that ASA.

 

Highlighted
Frequent Contributor

Re: VPN through a second tunnel

Just to summarize what has been put forward from us -

Check Split Tunneling for Anyconnect (if used). Are the USA Subnets included.
Do you have a "No Nat" configured for the Anyconnect subnet / traffic to the USA and vice versa.
Is the Anyconnect subnet included in the interesting traffic for the S2S VPN
Does the USA have routing to the Anyconnect Subnet