Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Anyconnect to access remote L2L network with asa on 9.1

Hello all,

I am suck and could use some assistance here.   I have a very similar question as here, but I am on version 9.1(2).

It had been working prior with v8.2 (we recently upgraded).

 

So we have two lan-to-lan vpns established and both remote sites can access each-other's resources.  The client based vpn users however can not (neither IPSec client or anyconnect).

 

We created a network object group as shown below and did the double-nat statment, but that doesn't seem to have helped.  The remote networks are in the split-tunnel of the client.

 

Any thoughts would be greatly appreciated.

Thanks!  -Cheers, Peter.

 

192.168.1.0 = main site (inside of asa)

192.168.1.0 = remote a (isr851 w/ ezvpn network extension mode)

192.168.3.0 = standard lan to lan vpn tunne

192.168.7.0 = IP pool of IPSec/Anyconnect clients

 

object-group network int-vpn-nonat
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.7.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0

 

nat (Outside-MetroE,Outside-MetroE) source static int-vpn-nonat int-vpn-nonat destination static int-vpn-nonat int-vpn-nonat no-proxy-arp route-lookup

3 REPLIES
New Member

Just a few things to check:1.

Just a few things to check:

1. Does the far side ASA have a route back to the Any Connnect VPN subnet?

2. Does the far side ASA have a twice NAT configured for the Any Connect subnet?

3. Did you add the Any Connect subnet to the interesting traffic ACL for L2L?

 

Thanks,

Kevin

New Member

Hi Kevin,Thanks for taking

Hi Kevin,

Thanks for taking the time to help.  It is greatly appreciated.  smiley

 

For Nr. 3, I believe I have that correct... I do see the 192.168.7.0 network appear as a "remote ident" entry in the "sh cry ips sa" output and there are packet encaps listed (no decaps).

 

For Nr. 2, I believe so.  Here is what I have on the lan2lan remote site asa:

object network internal-network
 subnet
192.168.3.0 255.255.255.0

object-group network bcc-int-vpn-nonat
 network-object
192.168.0.0 255.255.255.0
 network-object
192.168.1.0 255.255.255.0
 network-object
192.168.7.0 255.255.255.0

 

nat (inside,outside) source static internal-network internal-network destination static int-vpn-nonat int-vpn-nonat no-proxy-arp route-lookup

 

For Nr. 1, I am fairly sure I have this right.  The hosts on the far end 192.168.3.x network all have their local ASA as their default gateway.  I don't have any additional routing setup outside of the "Reverse Route Injection" option in the static l2l cryptomap definition.

 

Things had been working fine before the upgrade...  My suspicion is that I am missing something in the double nat on the 192.168.0.x central ASA...  This whole not having nat exclusions is really been something strange and I still don't fully understand the logic behind it.

 

Sorry I still feel dense with this new nat format.

Thanks!  -Cheers, Peter.

New Member

bump.

bump.

141
Views
0
Helpful
3
Replies
CreatePlease login to create content