Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA 5505 8.2 AnyConnect connect to other site-to-site subnets

Hello,

I am somehwat new to Cisco and routing. I have an installation of two ASA 5505's that are setup for site-to-site vpn as well as AnyConnect. The AnyConnect subnet can connect into the inside vlan at SiteA but I cannot get to the remote subnet at Site B when using AnyConnect. Any ideas? Do I need to add the 10.0.7.0/24 subnet to the site-to-site policy? Do I need to setup more NAT rules? Details below.

Site A: ASA 5505 8.2

Outside: 173.X.X.X/30

Inside: 10.0.5.0/24

AnyConnect: 10.0.7.0/24

Site B: ASA 5505 8.2

Outsdie: 173.X.X.X/30

Inside: 10.0.6.0/24

The AnyConnect subnet cannot access the 10.0.6.0/24 network.

Any help would be greatly appreciated!! Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions

ASA 5505 8.2 AnyConnect connect to other site-to-site subnets

Hello Kevin,

You need to do Identity U-turning ( (outside,outside) Identity NAT basically for both subnets (Anyconnect and Remote_IPSec).

And ofcourse include the traffic in the crypto ACL for the IPSec and in the split tunnel (if used) with the Anyconnect.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

ASA 5505 8.2 AnyConnect connect to other site-to-site subnets

Hi Kevin,

you would need to exempt the traffic coming from anyconnect and going over site to site:

here is the list of changes you need to make with example:

The nat exemption ACL:

ip access-list ext anyconnect_to_site permit ip 10.0.7.0 255.255.255.0 10.0.6.0 255.255.255.0

nat (outside) 0 access-list anyconnect_to_site

======================================

addition on crypto acl on site A:

permit ip 10.0.7.0 255.255.255.0 10.0.6.0 255.255.255.0

========================================

addition of crypto acl on site B

permit ip 10.0.6.0 255.255.255.0 10.0.7.0 255.255.255.0

========================================

if you have implemented split tunnel on anyconnect you need to direct the traffic to asa for 10.0.6.0

access-list permit 10.0.6.0 255.255.255.0

==============================================================

you would also need to implement  the following command:

same-security permit-intra-interface

=================================================

I hope this helps,

Regards,

~Harry

2 REPLIES

ASA 5505 8.2 AnyConnect connect to other site-to-site subnets

Hello Kevin,

You need to do Identity U-turning ( (outside,outside) Identity NAT basically for both subnets (Anyconnect and Remote_IPSec).

And ofcourse include the traffic in the crypto ACL for the IPSec and in the split tunnel (if used) with the Anyconnect.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

ASA 5505 8.2 AnyConnect connect to other site-to-site subnets

Hi Kevin,

you would need to exempt the traffic coming from anyconnect and going over site to site:

here is the list of changes you need to make with example:

The nat exemption ACL:

ip access-list ext anyconnect_to_site permit ip 10.0.7.0 255.255.255.0 10.0.6.0 255.255.255.0

nat (outside) 0 access-list anyconnect_to_site

======================================

addition on crypto acl on site A:

permit ip 10.0.7.0 255.255.255.0 10.0.6.0 255.255.255.0

========================================

addition of crypto acl on site B

permit ip 10.0.6.0 255.255.255.0 10.0.7.0 255.255.255.0

========================================

if you have implemented split tunnel on anyconnect you need to direct the traffic to asa for 10.0.6.0

access-list permit 10.0.6.0 255.255.255.0

==============================================================

you would also need to implement  the following command:

same-security permit-intra-interface

=================================================

I hope this helps,

Regards,

~Harry

930
Views
0
Helpful
2
Replies
CreatePlease to create content