Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
2
Replies

5506W-x unable to access sites across site-to-site VPNs

Go to solution
ereinoehl1
Level 1
Level 1

‎04-19-2016 01:22 PM

I replaced a 5505 with a 5506W.  I reconfigured the site-to-site VPN on the 5506 and the inside network can access 2 remote offices across the vpns, but the wireless network on the 5506 can only access the inside network and the Internet.  I created network objects for the networks at each of the sites and used them in the vpns, but the wireless can still only access the inside network at its site.

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address x.x.x.x 255.x.x.x
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.95.1 255.255.255.0
!

interface GigabitEthernet1/9
 nameif wifi
 security-level 100
 ip address 192.168.85.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Main1-Data
 subnet 10.1.0.0 255.255.0.0
object network Main1-Wireless
 subnet 10.2.5.0 255.255.255.0
object network Remote2-Data
 subnet 192.168.95.0 255.255.255.0
object network Remote2-Wireless
 subnet 192.168.85.0 255.255.255.0
object network Main1-Voice
 subnet 10.2.1.0 255.255.255.0
object network Remote1-Data
 subnet 192.168.96.0 255.255.255.0
object network Remote1-voice
 subnet 10.200.96.0 255.255.255.0

object-group network Main1-All
 network-object object Main1-Data
 network-object object Main1-Voice
 network-object object Main1-Wireless
object-group network Remote2-All
 network-object object Remote2-Data
 network-object object Remote2-Wireless
object-group network Remote1-All
 network-object object Remote1-Data
 network-object object Remote1-voice
access-list outside_access_in extended permit icmp any any
access-list outside_cryptomap extended permit ip object-group Remote2-All object-group Main1-All
access-list outside_cryptomap_2 extended permit ip object-group Remote2-All object-group Remote1-All

pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
mtu wifi 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Remote2-All Remote2-All destination static Main1-All Main1-All no-proxy-arp route-lookup
nat (inside,outside) source static Remote2-All Remote2-All destination static Remote1-All Remote1-All no-proxy-arp route-lookup

!
nat (inside,outside) after-auto source dynamic any interface
nat (wifi,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
carlguer
Level 1
Level 1

‎04-19-2016 01:57 PM

Hello ereinoehl1,

I think that you are only missing the following nat:

nat (wifi,outside) source static Remote2-Wireless Remote2-Wireless destination static Main1-All Main1-All no-proxy-arp route-lookup

Please let me know if that works.

Regards, 

-Javier- 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
carlguer
Level 1
Level 1

‎04-19-2016 01:57 PM

Hello ereinoehl1,

I think that you are only missing the following nat:

nat (wifi,outside) source static Remote2-Wireless Remote2-Wireless destination static Main1-All Main1-All no-proxy-arp route-lookup

Please let me know if that works.

Regards, 

-Javier- 

0 Helpful

Go to solution
ereinoehl1
Level 1
Level 1
In response to carlguer

‎04-20-2016 04:44 AM

That was it.  Thanks Javier, it looks like I may have been over looking/over thinking this.

0 Helpful
Customers Also Viewed These Support Documents