Re: ASA 5505 l2l tunnel with Easy VPN remote

amir · ‎05-26-2011

Hi guys,

I have set up two ASA 5505's (lets call them ASA1 and ASA2) with site to site VPN configuration and i've encountered two problems with my setup.

ASA1 has IP 192.168.1.254 on the inside interface and is connects ASA2. It's also an Easy VPN Server for external users to connect through Easy VPN Client.

ASA2 has IP 192.168.11.1 on the inside interface and connects to ASA1

Problem #1 None of the ASA's can ping eachothers inside LAN IP address. Computers behind the ASA's are unable to ping the remote ASA's inside IP address. My guess is that this has to do with either NAT or built in security.

Problem #2. The Easy VPN clients which connects to ASA1 are unable to access the LAN behind ASA2. Maybe this isn't possible?

I've attatched the configuration on ASA1 for you to view.

Thanks in advance

Yudong Wu · ‎05-26-2011

1. Yes, it's a kind of built-in security, you can not ping inside interface of ASA via VPN tunnel. You should be able to disable it by using "management-access inside"

2. Yes, it's possible. Please go to Cisco.com and search "PIX/ASA 7.x Enhanced Spoke-to-Client VPN with TACACS+ Authentication Configuration Example", you can find the example configuration for this.

by the way, your vpn ip pool is overlapped with inside network on ASA1. I would like to suggest you to use a different subnet.

amir · ‎05-26-2011

Thank you so much! Exactly what i was looking for. I'll test it out tomorrow

Cheers!

amir · ‎05-27-2011

Hi again,

Tested out the configuration exampled that you suggested, Yudong Wu. And it works like a charm. I also enabled management-access inside which also did the trick.

I also changed the IP pool that you suggested to another subnet.

Thanks again!