Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
0
Helpful
3
Replies

Another Remote Access VPN to Site-to-Site VPN Thread

Go to solution
LouisBHirst
Level 1
Level 1

‎08-02-2007 10:55 AM

Another Remote Access VPN to Site-to-Site VPN Thread

Hello all, I?m trying to give my Cisco VPN Client remote users access to our branch office which is connected successfully to the main office via a site-to-site VPN tunnel.

VPN IP Pool: 10.0.2.0

Main Office: 10.0.1.0

Branch Office: 192.168.0.0

After reading the threads here I?ve implemented the following:

Head Firewall: (ASA5510, 7.1.2, 5.12)

same−security−traffic permit intra−interface

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

add branch network to split tunnel

Remote Firewall: (PIX 501, 6.3.5, 3.0.4)

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

add vpn pool to nat exemption acl

While viewing debug I can see the ASA building TCP connections to the branch office network, but I don?t get any connection or action on the remote firewall.

Any ideas? Relevant configuration is attached.

Labels:
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎08-02-2007 12:22 PM

The two statements below are the same acl.

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

The config looks ok to me. On the remote 501 you should have something like this

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

crypto map newmap 10 match address 100

Is that about what you have?

Have you rebooted the 501?

Please rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
acomiskey
Level 10
Level 10

‎08-02-2007 12:22 PM

The two statements below are the same acl.

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

The config looks ok to me. On the remote 501 you should have something like this

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

crypto map newmap 10 match address 100

Is that about what you have?

Have you rebooted the 501?

Please rate helpful posts.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to acomiskey

‎08-02-2007 12:38 PM

..and here's the doc depicting your exact situation.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Please rate helpful posts.

0 Helpful

Go to solution
LouisBHirst
Level 1
Level 1
In response to acomiskey

‎08-02-2007 01:12 PM

Reload of the 501 was a good call. I'm pretty sure that fixed it.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents