Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
3
Helpful
4
Replies

communications between AnyConnect SSLVPN and IPSec VPN

Go to solution
chenbc
Level 1
Level 1

‎07-12-2010 03:46 AM - edited ‎02-21-2020 04:43 PM

Hello all,

I have 2 ASAs, and connected between them with ipsec VPN.

one of ASA has SSLVPN for users to access its intranet resources.

but don't know how to access inside network on another ASA

my network architecture is below:

192.168.1.0/24 ---- ASA1 --- Internet --- ASA2 ---- 172.24.0.0/16

SSLVPN use 192.168.55.0/24 ip on outside interface

IPSec L2L VPN is established between ASA1 and ASA2

192.168.1.x could access 172.24.0.0/16 via NATing to ASA2's inside interface ip


But now I want 192.168.55.0/24 access 172.24.0.0/16, do some configure but not work...

Is there any suggestion?

Thanks a lot

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rahgovin
Level 4
Level 4
In response to chenbc

‎07-30-2010 05:01 AM

hi the split tunnel you add for the ASA2 network should allow the vpn clients to send traffic through tunnel when they want to reach the remote subnet.

Can you add this too

access-list nonat_outside permit ip

nat( outside) 0 access-list nonat_outside

Also in the config you have not added the crypto acl entry for ASA1. that is from 192.168.55.0 to 172.24.0.0

See if that helps

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-12-2010 03:59 AM

There are a few things that needs to be configured:

1) On ASA1 - same-security-traffic permit intra-interface

2) On ASA1 - if you have split tunnel configured for the AnyConnect, you would need to include 172.24.0.0/16 in the split tunnel ACL

3) For the crypto ACL, you would need to add the ip pool subnet as follows:

     -- On ASA1 - crypto ACL: permit ip 192.168.55.0 255.255.255.0 172.24.0.0 255.255.0.0

     -- On ASA2 - crypto ACL: permit ip 172.24.0.0 255.255.0.0 192.168.55.0 255.255.255.0

4) On ASA2 - NAT exemption ACL should include: permit ip 172.24.0.0 255.255.0.0 192.168.55.0 255.255.255.0

Hope that helps.

Go to solution
chenbc
Level 1
Level 1
In response to Jennifer Halim

‎07-29-2010 09:13 PM

Hello all,

it seems not work...

in the attachment are config files in ASA1 and ASA2

Since ASA1's SSLVPN users using 192.168.55.0/24 cannot route to 172.24.0.0/16

but ASA1's internal network users using 192.168.1.0/24 can route to 172.24.0.0/16

how could I do to make 192.168.55.0/24 route to 172.24.0.0/16 with ipsec L2L vpn established?

I got weird....orz

Thanks a lot

stephon

69792-ASA2.txt.zip
0 Helpful

Go to solution
rahgovin
Level 4
Level 4
In response to chenbc

‎07-30-2010 05:01 AM

hi the split tunnel you add for the ASA2 network should allow the vpn clients to send traffic through tunnel when they want to reach the remote subnet.

Can you add this too

access-list nonat_outside permit ip

nat( outside) 0 access-list nonat_outside

Also in the config you have not added the crypto acl entry for ASA1. that is from 192.168.55.0 to 172.24.0.0

See if that helps

0 Helpful

Go to solution
chenbc
Level 1
Level 1
In response to rahgovin

‎08-02-2010 08:54 AM

Hello all

I found that I didn't add VPN ip pool into crypto ACL before .....

now that works now

Thanks a lot

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents