You will need to include the client network in your tunnel list, and configure 'same-security-traffic permit intra-interface'. Also, you will need to modify the site to site tunnel between the client network and the data center so that the addresses handed out to AnyConnect users are included in the encryption domain.
Thanks, its good to know it is possible after all.
Ill have to look at the 'same-security-traffic permit intra-interface' command
The addresses handed out to the Anyconnect clients are in the same subnet / range as the datacentre private network (as there are only about 10 devices there all on static private addresses), so if the client network already has our private network as part of the encryption domain, and the anyconnect clients are on the same addresses, nothing is required in that respect?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...