Re: Cisco AnyConnect Remote Access to L2L tunnels

["Christopher J. Wargaski" <wargo1 () gmail com>]

Hey Todd--

   I have not tried this before with AnyConnect VPNs, however, at one
time, I think I had a similar set up with remote access IPsec VPNs and
L2L tunnels.

   OK, you have the hairpin enabled and you the SSLClientPool IP block
is included in the ACL that marks interesting traffic. Good.

   Have you watched the logs when an AnyConnect client is trying to
access one of the remote L2L VPN locations? I am thinking right now
that the "crypto map OutsideVPN 192 set nat-t-disable" may be the
issue. Can you try enabling NAT-T

cjw



On Thu, Jun 11, 2009 at 7:47 AM, Todd Simons<tsimons () delphi-tech com> wrote:
> Inline...
>
> A couple questions:
> 1) Is the ASA a peer for the L2L tunnels?
> > > Yes
>
> 2) Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN?
> > > Yes
>
> 3) Do you have the hairpin enabled?
> > > I think so (lines 48/49 in attached txt)
>
> 4) Can you send a copy of the ASA configuration?
> > > Attached.   Note that this is not a production ASA, config is still a work in progress.  This should be considered 
> > > "MainSite" and SiteA, SiteB, SiteC are satellites, RA VPNs terminate here at MainSite and should give access to 
> > > SiteA, Site and (eventually) SiteC.   SiteA has 2 IPSEC Networks, the remote gateway & a /29, SiteB just has the 
> > > remote gateway, Site C will just be a /27.   The tunnels that use the remote gateway are actually used for ingress 
> > > traffic from Sites.
>
> Thanks
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards