We have a remote site (Paris) with a 5512 with a couple s2s tunnels and RA vpn client (anyconnect and IPsec). Anyconnect has no issue but the ipsec client cannot pass traffic to the LAN. The subnet behind the fw is 10.176.0.0/16 and the RA client pool is 10.172.28.0/24. However we have a s2s tunnel that nat's 10.0.0.0/8 and it appears that the traffic destined for the RA vpn IPSEC clients is being matched to that rule and preventing connectivity to local resources via the ipsec vpn client.
This works at other sites with almost identical configuration but for whatever reason it doesn't work here. I cannot specify individual subnets for the s2s tunnel as there would be too many. Can someone help me out and tell me why I can't get this working?
Regarding the anyconnect client, it uses the same IP pool but per cisco because its anyconnect (SSL) it doesn't match the ipsec rules that the ipsec client does. In my scenario the anyconnect and ipsec clients were identical, IE same pool, group policy, tunnel list, just different tunneling protocols.
I am not sure what the actual situation is. Now that I think of it since you are doing NAT0 configuration for both the L2L VPN and VPN Client connections then the single NAT0 configuration for L2L VPN that contains the whole network 10.0.0.0/8 should already handle all that is needed for both the L2L VPN and VPN Client.
Main thing is that it works but as I said I am not sure what caused the actual problem since all the other 10.0.0.0/8 subnets are located behind "outside" interface.
Please do remember to mark a reply as the correct answer if it answered your question.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...