Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco AnyConnect access to remote IPsec network

Hi All, I'm trying to give my remote AnyConnect users access to a network that is connected via an IPsec tunnel (ASA 5510 IPsec) from our main LAN.. network

AnyConnect VPN user----->ASA 5510 Local-LAN -----> IPsec tunnel to Remote-LAN

AnyConnect user access this --------------------------------------------------------------------------------------> Remote-LAN

AnyConnect ip

Local-LAN ip

Remote-LAN ip

Cheers for any sugestions

ASA has 8.4(4)

New Member

Re:Cisco AnyConnect access to remote IPsec network

So the ipsec remote access vpn is on another asa , right ?
And the hosts behind the first asa are ipsec clients to that asa ?

Please provide your asa configuration

Sent from Cisco Technical Support Android App

New Member

Cisco AnyConnect access to remote IPsec network

Remote AnyConnect VPN clients connect to ASA 5510 which has an IPsec tunnel to a non-ASA device.

ASA Version 8.4(4)


hostname ciscoasa

enable password xxxx encrypted

passwd xxxx encrypted



interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 72.xx.xx.xx


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit intra-interface

object network obj_any


object network obj-


object network obj-


object network INSIDE-HOSTS


object network VPN-HOSTS


object network obj-


object network IPSEC-HOSTS


access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list Split-Tunnel standard permit

access-list Split-Tunnel standard permit 173.x.x.0

access-list outside_cryptomap extended permit ip object INSIDE-HOSTS

access-list IPS extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool AnyConnect-POOL mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static IPSEC-HOSTS IPSEC-HOSTS no-proxy-arp route-lookup


object network obj_any

nat (inside,outside) dynamic interface

object network obj-

nat (inside,outside) static interface service tcp 3389 3389

object network obj-

nat (outside,outside) dynamic interface

access-group 101 in interface outside

route outside 72.x.x.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP_SRV_GRP protocol ldap

aaa-server LDAP_SRV_GRP (inside) host

ldap-base-dn OU="xxxxxxxx",DC="xxxxx",DC="local"

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password xxxxxxxx

ldap-login-dn CN="xxxx",CN="Users",DC="xxxxx",DC="local"

server-type microsoft

user-identity default-domain LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 72.x.x.82

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns


dhcpd address inside

dhcpd enable inside


dhcpd address management

dhcpd enable management


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server source outside prefer


enable outside


anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles AnyConnectProfile disk0:/AnyConnectProfile.xml

anyconnect enable

tunnel-group-list enable

group-policy AnyConnect internal

group-policy AnyConnect attributes

dns-server value 192.168.x.x

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-Tunnel

default-domain none


  url-list none

  anyconnect modules value vpngina

  anyconnect profiles value AnyConnectProfile type user

  anyconnect ask enable

username AnyConnect1 password xxxxx encrypted

username AnyConnect1 attributes

vpn-group-policy AnyConnect

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool AnyConnect-POOL

authentication-server-group LDAP_SRV_GRP

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

group-url https://xxxxxxx/ enable

tunnel-group 72.x.x.82 type ipsec-l2l

tunnel-group 72.x.x.82 ipsec-attributes

ikev1 pre-shared-key xxxxxxx


class-map IPS

match access-list IPS

class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class IPS

  ips promiscuous fail-open


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


: end

New Member

Re:Cisco AnyConnect access to remote IPsec network

Yes do the following:
1. Add the ipsec remote network to the split tunneling access list
2. Add a new self translation manual nat with outside as the ingress and egress interface with remote access lan as source and anyconnect pool as destination
3. Add the following command to permit u turn traffic
same-security-traffic permit intra interface

Sent from Cisco Technical Support Android App

New Member

Cisco AnyConnect access to remote IPsec network

Hi I added this:

1. access-list Split-Tunnel standard permit

2. nat (outside,outside) source static IPSEC-HOSTS IPSEC-HOSTS destination static VPN-HOSTS VPN-HOSTS

3. same-security-traffic permit intra-interface

IPSEC-HOSTS are the remote network

VPN-HOSTS is the anyconnect pool

Still not able to ping..Is my nat ok?

New Member

Re: Cisco AnyConnect access to remote IPsec network

Hi Philip,

does your remote LAN have a route for the AnyConnect IP Pool pointing to your ASA 5510 ? And is it part of your crypto ACL?



New Member

Re: Cisco AnyConnect access to remote IPsec network

No..Would I use the inside interface(of the Cisco) for the gateway on the remote router (non Cisco) what would I use for the crytp ACL?


CreatePlease to create content