Cannot for the life of me get remote VPN clients to be able to use site to site VPNs (ASA 5506's)
So this has been going on for weeks now, I have a client that we set up with two ASA 5506's to add to the one that they already had configured. All 3 are in separate physical locations, site to site VPN's are established and working.
All three ASA's are also configured for remote VPN clients, and all of them can be accessed via Anyconnect, IPSec client, etc. and gain access to the network behind whichever ASA they connect to.
However, when connected via VPN clients cannot connect to the other sites, in other words they can't use the site to site VPN tunnels from their client. If they were to ssh into a machine on the internal network, they could then access remote machines via the site to site VPN, hence the site to site VPN's work fine for anything coming from the internal networks.
Hairpinning is enabled, however I've been troubleshooting this for more hours than I can even remember, and have spent a little time with Cisco support whose suggestions have not helped either up to this point (have been unable to get in touch with them today, will continue trying). This is such a time critical thing and has been going on for so long with no end in sight, that I'm desperately looking for help anywhere I can get it at this point, hence the post.
Here's what I think are relevant pieces of the config on the one ASA I'm trying to get working (it's not being used so I can work on it without fear of disrupting anyone).:
Inside network (Site1): 192.168.0.0
VPN/Anyconnect pool (Site1): 192.168.1.0
Remote Network (Site2): 192.168.2.0
same-security-traffic permit intra-interface
access-list Split_Tunnel extended permit ip object-group SplitTunnel any
object-group network SplitTunnel
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
access-list L2LSite1ToSite2 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list L2LSite1ToSite2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
I "think" this is the important stuff regarding my issue, if you need more of the config I'm happy to provide more. Essentially the only thing Cisco support has suggested so far was adding the above nat (outside,outside) statement, as I did not have that in there initially. Unfortunately it didn't fix the issue, but it needed to be in there I guess.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.