We have a pair of ASA 5510s in an active/passive HA configuration. Remote users connect via AnyConnect and access resources in our corporate site. We also have three IPSec site-to-site VPNs to link our datacenter sites with the corporate site.
We now want some users to be able to access the datacenter sites when connected via AnyConnect. Right now, they have to connect to a client on the corporate network, usually via MS terminal services, then connect to one of the datacenter hosts. We want traffic to be routed directly from their remote client to one or more of the datacenters.
One additional catch is that we'd like to implement datacenter access via a group policy, so that only certain AnyConnect clients can connect to the datacenters.
We've already enabled intra-interface traffic, because we don't allow them split tunneling, and Internet access also goes through the ASA when remote users are connected.
Some network parameters:
corporate network: trusted/24 (192.168.10.0/24)
AnyConnect users: VPN/24 (192.168.4.0/24)
datacenter A: DC-A/24 (192.168.20.0/24)
datacenter B: DC-B/24 (192.168.21.0/24)
datacenter C: DC-C/24 (192.168.22.0/24)
The connection profile for the DC A VPN has trusted/24 and VPN/24 as the local networks, DC-A/24 as the remote network. There is a corresponding cryptomap/ACL entry. I have a NAT-exempt rule on the external (public Internet) interface with a source of VPN/24 and destination of DC-A/24.
Right now, I get no connectivity to DC-A when connected via Anyconnect. If I run the packet tracer within ASDM, using external as the interface, 192.168.4.1:1024 as the source and 192.168.20.1:80 as the destination, the trace fails at the access list lookup, showing me that the final drop-any rule on the external interface is causing the packet to be dropped. We have VPN connections set up to ignore ACLs so I'm lost on this one.
Does anyone have any suggestions?
yes of course it does. The crypto maps have to match on both sides. I would have suspected though that all your traffic to DC-A wouldn't be working.
If you want to give me your contact info I will help you.