Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Users to access from one VPN to other VPN Location

Hello All Guru's

Today i came with some scenario in which i am having little bit hard time to understand again. Problem is i have a network in which we are running VPN between two Cities Datacenters. Both using 3 Vlans, like:

In Chicago

10.12.10.x, 10.12.7.x and 10.12.150.x

In Atlanta 

10.22.10.x, 10.22.7.x and 10.22.150.x

My VPN Users are able to connect Atlanta with anyconnect without any problem. But when they have to access the Chicago they disconnect first the VPN and then reconnect again with Chicago ASA to get access to those Servers. Even there is a VPN Tunnel running b/w Chicago and Atlanta and i am able to access the Management which is 10.x.7.x but not other production subnets. 

Can any one help me to understand what i have to check and what make this work. I really appreciate any link to documents as well which shows me how to do it.





Community Member

Hi,Reading your post I have


Reading your post I have an idea. If I understand well, there are 2 RA VPN sites (Chicago & Atlanta). There is also L2L IPsec tunnel between Chiccago & Atlanta All (RA and L2L) has to be working because you are able to reach management subnet in Atlanta from Chicago (please correct if anything is wrong).

Now, few questions:

- management subnet - is there any NAT used in configuration in conjuction w this subnet?

- can you post cryptomap of L2L?

- what are ip pools for RA VPN @ Chicago and Atlanta?


I assume, production servers are able to reach internet, so there is some kind of NAT (because your address are RFC1918).

My main idea is, there should be NAT exemption on traffic from Chicago to RA VPN at Atlanta (and vice versa).

Please answer questions and we can continue.






Community Member

Hi Atif,Check for the

Hi Atif,

Check for the following:

- That you have issued the command "same-security-traffic permit intra-interface" - since Anyconnect user traffic will be hair pining on the ASA Outside Interface on the Atlanta Firewall

- That the Chicago IP address pools you wish to access are in the Split-Tunnel ACL under the SSL Group Policy in Atlanta

- That the pair Anyconnect SSL IP Pool - Chicago IP address pools are in the IPSec Crypto ACL for the ASA in Atlanta

- That the pair Chicago IP address pools - Anyconnect SSL IP Pool are in the IPSec Crypto ACL for the ASA in Chicago

- Make sure you have properly NAT-exempted the appropriate subnets in each ASA




CreatePlease to create content