Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
5
Replies

Routing over site to site tunnel after connecting via remote access

Go to solution
UCcomp2007
Level 2
Level 2

‎09-14-2009 10:09 AM - edited ‎03-11-2019 09:15 AM

Can someone point me in the right direction.

I have an ASA 5505 setup with both remote access (Anyconnect), as well as a site to site tunnel over to a business partner.

From the outside, I can connect via anyconnect and go anywhere within my internal network. From the inside (when at the office where ASA is at) I can route to any destination on partner side (over site to site tunnel). But what I can't do, is when I connect via remote access from outside, is access the partner side network over the site to site tunnel. Can't ping any address on other side.

u used the vpn wizards to create both remote access and site to site tunnels.

thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to DialerString_2

‎09-14-2009 02:22 PM

Daniel, sorry for not giving you an example in my previous post which sounds confusing :)

I was able to fine a thread from while back , follow the example , apply the same principle for your anyconnect . should work. if you need help let me know to help you out.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

Jorge Rodriguez

View solution in original post

0 Helpful
5 Replies 5

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎09-14-2009 10:43 AM

You need to add your RA Pool network in partner's Ipsec tunnel acl policy , and at the same time in your office ASA where you have tunnel to partner and RA vpn allow same in your tunnel policy with partner, meaning you will allow in ASA partnet network to talk to RA network, also using your existing nat exempt rule for Ipsec applied to interface outside where both tunnels come in, that is l2l and RA tunnels, in additional to adding same-security-traffic permit intra-interface statement in office ASA for traffic to partner tunnel goes out and in on same interface where RA tunnel terminates in that office firewall.

regards

Jorge Rodriguez
0 Helpful

Go to solution
DialerString_2
Level 3
Level 3
In response to JORGE RODRIGUEZ

‎09-14-2009 12:27 PM

I ran into a similar problem last Friday except my l2l tunnel could not ping each other. I used the command "nat (outside) 0 access-list 90"

"access-list 90 extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0"

Hope this helps

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to DialerString_2

‎09-14-2009 02:22 PM

Daniel, sorry for not giving you an example in my previous post which sounds confusing :)

I was able to fine a thread from while back , follow the example , apply the same principle for your anyconnect . should work. if you need help let me know to help you out.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

Jorge Rodriguez
0 Helpful

Go to solution
UCcomp2007
Level 2
Level 2
In response to JORGE RODRIGUEZ

‎09-15-2009 04:54 AM

Thanks Jorge. Worked like a charm. Awesome follow up on your part, thanks for the help.

Regards,

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to UCcomp2007

‎09-15-2009 07:30 AM

Daniel, glad all worked out.. thanks for the rating.

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card