cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
0
Helpful
3
Replies
Highlighted
Beginner

NAT issue with L2TP VPN

Hello,

Have created a remote vpn on ASA 5510 and i am able to connect using L2TP clients witha preshared key and able to ping network behind firewall.(192.168.1.0).

Now problem is this ASA is already connected with a site to site VPN to a another ASA and the network behind that another asa is 10.10.10.0

my problem is i am not able to ping that 10.10.10.0 network through remote vpn...i know this is some NAT issue but unable to rectify.

Everyone's tags (5)
3 REPLIES 3
Cisco Employee

NAT issue with L2TP VPN

To be able to access the remote LAN via the site-to-site VPN from remote VPN Client, you would need to configure the following:

1) same-security-traffic permit intra-interface

2) If you have split tunnel configured for the VPN Client, you would need to add the remote LAN subnet in the split tunnel ACL.

3) Your site-to-site VPN crypto ACL needs to include the VPN Client pool subnet as the source subnet on your ASA with destination the remote LAN. And the mirror image ACL needs to be configured on the remote ASA.

4) The remote ASA also needs to configure NAT exemption for traffic destined towards the VPN Client pool.

Beginner

NAT issue with L2TP VPN

Hello Jennifer Halim,

Many thanks for reply but its not working because it is a MPLS connection between ASA to ASA not a site to site (its my fault),

Now remote asa is configured NAT exemption for the traffic coming from 192.168.0.0 subnet.(while my VPN pool is within the range)

i have not configured split tunnel at all.

now i permit same-security traffic inta-interface

but it is not working please help....

Cisco Employee

NAT issue with L2TP VPN

1) A network diagram might help as I would need to know how is your MPLS connected.

2) A copy of the ASA configuration will also help.

Actually, the pool subnet be configured with entirely different subnet (unique subnet), it shouldn't be part of the internal subnet range.