Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
1
Replies

SSL VPN users cannot see across site-to-site

Foolproof
Level 1
Level 1

‎01-11-2011 06:56 AM

We have an ASA 5510 at site A and ASA 5505 at site B, connected together using a site-to-site SSL VPN.

Site A has an internal IP range of 192.168.0.x

Site B has an internal IP range of 192.168.10.x

AnyConnect VPN users have an internal IP range of 192.168.50.x

The anyconnect VPN goes via the 5510 at site A.

People at site A or B can see the alternate site fine internally, but those using the anyconnect VPN cannot see site B, only site A.

I'm not particular great with the CLI, so most of the management is done with the ASDM on both sites.

Does anyone have any suggestions as to what's causing this, or what I can do to resolve it?

I can post running configs of both sites if necessary.

Need to resolve this asap, as we're going to be relying on it alot more in about a week!!

TIA

Labels:
0 Helpful
1 Reply 1

andrew.prince
Level 10
Level 10

‎01-11-2011 07:23 AM

For encrypted traffic to enter an interface - to then be re-enrytped and exit the same interface requires explict configuration.

1) Amend your site to site interesting traffic ACL to include the IP addresses assigned to SSL users.

2) Amend your site to site NAT rules to include the IP addresses assigned to the SSL users.

3) Configure "same-security-traffic permit intra-interface"

All the above can be done by the GUI.

HTH>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents