Would like some general guidance in configuring 2 ASAs connected via site-to-site VPN and then have remote AnyConnect client connect to far end site.
Both ASAs are set up for site-to-site VPNs as shown on the attached diagram. Hosts on each LAN segment can ping across the site-to-site tunnel.
One of the ASAs also acts as a terminating endpoint for AnyConnect clients. Remote AnyConnect users can successfully see items on the 192.168.1.X subnet shown on the attached (and items behind the router not shown). Outside interface of the ASAs are the terminating points for all cyrpto.
Where I'm struggling is configuring the ASAs so the Remote AnyConnect users can see the 192.168.2.X network and general guidance is appreciated.
Few things: These IPs are not my production IPs and don't want to include config outputs. No routing other than static routing is configured between ASAs and any layer-3 devices. For those users in the 192.168.1.X subnet their default gateway is configured to be the Router 192.168.1.1. For those users in the 192.168.2.X network their default gateway is configured to be the ASA 192.168.2.1. Attached diagram generally shows how I'm set up and what I'd like to accomplish.
What I'm thinking I need is the following:
Static route on 192.168.2.1 ASA for 192.168.102.0/24 network to ???inside interface of 192.168.1.254???
NAT exemption on both ASAs for the remote user traffic to/from the 192.168.2.X network.
If you can comment, point me to online config examples or comments it would be appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...