Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Anyconnect client can't hairpin back out to VPN tunnel site

I have and ASA 5520 that is the device that all of our remote access connect with and it is the VPN tunnels for our backup connections if our MPLS circuits fail. Just recently I added a site that has a VPN tunnel only. The remote users connecting through Anyconnect can get to any MPLS site and all MPLS users can get to the VPN only site but the remote users that connect to this ASA can't connect to the VPN tunnel site. If the remote users connect to one of our ASAs in another site, they can get to the VPN tunnel site.  This sounds like a hairpinning issue but I am unable to find what is missing.

 

I have inter and intra traffic permitted.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

I have the nonat ACL set to allow any to every site.

access-list inside_nat0_outbound extended permit ip any 10.234.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 10.234.4.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any Williston-10.176 255.255.254.0
access-list inside_nat0_outbound extended permit ip any Fayetteville-10.40 255.255.254.0
access-list inside_nat0_outbound extended permit ip any Sparks-10.128 255.255.254.0
access-list inside_nat0_outbound extended permit ip any Springfield-10.140 255.255.254.0
access-list inside_nat0_outbound extended permit ip any Walterboro-10.160 255.255.254.0
access-list inside_nat0_outbound extended permit ip any Springdale-10.136 255.255.252.0
access-list inside_nat0_outbound extended permit ip any Tulsa-10.152 255.255.254.0
access-list inside_nat0_outbound extended permit ip any Amherst-10.216 255.255.254.0
access-list inside_nat0_outbound extended permit ip any MtPleasant_10.23.0.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip any Hillsdale_10.22.51.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any CapeFear-10.45 255.255.0.0
access-list inside_nat0_outbound extended permit ip any Concord-10.169 255.255.254.0
access-list inside_nat0_outbound extended permit ip any Mexico-10.96 255.255.254.0

Any tips will be appreciated.

 

2 REPLIES
New Member

What about your routing?

What about your routing?

New Member

I turned in a ticket with

I turned in a ticket with Cisco and it turned out to be a bug in the IOS I was running on that ASA. asa825-26-K9 was upgraded to asa825-29-K9.

Thanks,

254
Views
0
Helpful
2
Replies
CreatePlease to create content