https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191787#M954676 <HTML><HEAD></HEAD><BODY><P>The ACLs appear to be working fine. I am passing IP traffic for all of the configured subnets with the exception of the remote access subnet. I have both ends of the tunnel configured with the RA subnet in the crypto map. I am not using reverse route injection. Actually I am not at all familiar with it. Do you think this is where I should start looking? </P><P></P><P>Thanks </P><P></P></BODY></HTML> Mon, 27 Apr 2009 18:14:18 GMT jhankin 2009-04-27T18:14:18Z https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191785#M954664 <P>I am using an ASA 5510 for both remote access and site to site VPN. Is there a way for the remote access clients to access the remote sites via the site to site tunnels? I have included the IP address range of the remote access clients in the crypto maps for the site to site tunnels but their traffic appears to be blocked. I suppose I could set up a second ASA to handle just the remote access users but I would prefer to avoid the expense if possible. </P><P></P><P>Thanks </P><P></P> Fri, 21 Feb 2020 11:25:42 GMT https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191785#M954664 jhankin 2020-02-21T11:25:42Z https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191786#M954672 <HTML><HEAD></HEAD><BODY><P>Are the acl configure correctly and are you permitting the traffic on the remote end? You wont need that second ASA, I have this setup in my network now. Are you using RRI for the site to site? Reverse route injection.</P></BODY></HTML> Mon, 27 Apr 2009 18:00:02 GMT https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191786#M954672 DialerString_2 2009-04-27T18:00:02Z https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191787#M954676 <HTML><HEAD></HEAD><BODY><P>The ACLs appear to be working fine. I am passing IP traffic for all of the configured subnets with the exception of the remote access subnet. I have both ends of the tunnel configured with the RA subnet in the crypto map. I am not using reverse route injection. Actually I am not at all familiar with it. Do you think this is where I should start looking? </P><P></P><P>Thanks </P><P></P></BODY></HTML> Mon, 27 Apr 2009 18:14:18 GMT https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191787#M954676 jhankin 2009-04-27T18:14:18Z https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191788#M954678 <HTML><HEAD></HEAD><BODY><P>RRI only injects a static route in the ASA routing table and removes it when the tunnel is down. </P><P></P><P>Can you provide a show run access-list, show run nat, sh run crypto and a sh run tunnel? </P><P></P><P>Can you paste the acl from the other side? </P></BODY></HTML> Mon, 27 Apr 2009 18:22:02 GMT https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191788#M954678 DialerString_2 2009-04-27T18:22:02Z https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191789#M954681 <HTML><HEAD></HEAD><BODY><P>I have attached the output of the show commands as a text file. </P><P></P><P>Thanks </P><P></P><P></P><P></P><P> </P><P></P></BODY></HTML> Mon, 27 Apr 2009 19:16:17 GMT https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191789#M954681 jhankin 2009-04-27T19:16:17Z https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191790#M954684 <HTML><HEAD></HEAD><BODY><P>Where is your pool of addresses for: </P><P></P><P>address-pool RemoteAccPool</P></BODY></HTML> Tue, 28 Apr 2009 17:43:16 GMT https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191790#M954684 DialerString_2 2009-04-28T17:43:16Z https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191791#M954687 <HTML><HEAD></HEAD><BODY><P>Your dynamic-map sequence number should always be higher than the static crypto maps. </P><P></P><P>You may want to start them at 6000 you can have up to 65535, and the number is optional</P></BODY></HTML> Tue, 28 Apr 2009 17:51:56 GMT https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191791#M954687 DialerString_2 2009-04-28T17:51:56Z https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191792#M954691 <HTML><HEAD></HEAD><BODY><P>The pool of addresses for remote access is 172.25.25.1 to 172.25.25.254. This is the address pool referred to by RemoteAccPool. I have confirmed that this range of addresses is in the ACLs on both ends of the tunnel. This is were I first started looking when the traffic would not pass once the tunnel was established.</P><P></P><P>Thanks </P><P></P></BODY></HTML> Tue, 28 Apr 2009 19:04:18 GMT https://community.cisco.com/t5/network-security/remote-access-and-site-to-site-on-the-same-asa/m-p/1191792#M954691 jhankin 2009-04-28T19:04:18Z