- Newest
- Most votes
- Most comments
Are you doing SNAT on the ASAv? Most ClientVPN solutions use Source NAT which makes routing easy as the VPN endpoint becomes the source of the traffic destined towards VPN resources. Also, if you are doing any sort of NATing make sure to disable Source/Destination checks on the EC2 instance hosting ASAv. Lastly, the any-connect IP Pool is usually only locally significant and not a routable segment so I am not sure you would want to place an instance in that subnet. If none of this helps then I would suggest to reach out to Cisco TAC or AWS premium support for troubleshooting.
have you enabled "same-security-traffic permit intra-interface" on the ASA?
Yes we do have this.
I have also now tried with a new subnet on the ASAv, one not in the same IP range as the AZ. This allows me to add a route to the ASAv on the VPC route table, without having to have a subnet for it.
Still the same issue
OK, worked it out.
The CSR is a 1 arm router with its interface in the public AZ. The public AZ needed a route adding for 10.39.0.0 via the ASA inside interface
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
Yes we are doing src nat and the src/dest check is disabled. I had the any-connect pool set as a subnet on the VPC and then a route to the ASAv.
I tried to remove the subnet and then just add the route, but I think becuse the any-connect pool is within the /16 for the VPC it would not let me add the route.
So currently I am trying to use a different /16 range for the any-connect pool. The VPC does let me add this new route to the ASAv