cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
809
Views
0
Helpful
3
Replies

NAT issue with L2TP VPN

onlinerecharge
Level 1
Level 1

Hello,

Have created a remote vpn on ASA 5510 and i am able to connect using L2TP clients witha preshared key and able to ping network behind firewall.(192.168.1.0).

Now problem is this ASA is already connected with a site to site VPN to a another ASA and the network behind that another asa is 10.10.10.0

my problem is i am not able to ping that 10.10.10.0 network through remote vpn...i know this is some NAT issue but unable to rectify.

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

To be able to access the remote LAN via the site-to-site VPN from remote VPN Client, you would need to configure the following:

1) same-security-traffic permit intra-interface

2) If you have split tunnel configured for the VPN Client, you would need to add the remote LAN subnet in the split tunnel ACL.

3) Your site-to-site VPN crypto ACL needs to include the VPN Client pool subnet as the source subnet on your ASA with destination the remote LAN. And the mirror image ACL needs to be configured on the remote ASA.

4) The remote ASA also needs to configure NAT exemption for traffic destined towards the VPN Client pool.

Hello Jennifer Halim,

Many thanks for reply but its not working because it is a MPLS connection between ASA to ASA not a site to site (its my fault),

Now remote asa is configured NAT exemption for the traffic coming from 192.168.0.0 subnet.(while my VPN pool is within the range)

i have not configured split tunnel at all.

now i permit same-security traffic inta-interface

but it is not working please help....

1) A network diagram might help as I would need to know how is your MPLS connected.

2) A copy of the ASA configuration will also help.

Actually, the pool subnet be configured with entirely different subnet (unique subnet), it shouldn't be part of the internal subnet range.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: