07-16-2012 04:24 PM
Hello-
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.
Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA
When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.
There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.
What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
nat (inside,Outside) dynamic interface
object network EXCHANGE_Exchange
nat (any,any) static Outside_Mail
object network DOMAINCTRL_DHCP
nat (inside,Outside) static interface service tcp ftp ftp
Thank you much in advance and I hope I have been thorough enough.
Let me know if you need anything else. Thanks!!
Solved! Go to Solution.
07-16-2012 05:25 PM
Theo,
You do not need any NAT rules on the outside (according to your config) .
You basically need to add the VPN pool to the L2L traffic and the remote network to the split-tunneling ACL (if configured), also the "same-security-traffic permit intra-interface".
Please let me know.
Thanks.
07-16-2012 05:25 PM
Theo,
You do not need any NAT rules on the outside (according to your config) .
You basically need to add the VPN pool to the L2L traffic and the remote network to the split-tunneling ACL (if configured), also the "same-security-traffic permit intra-interface".
Please let me know.
Thanks.
07-17-2012 12:06 PM
Thanks! For some reason the ACL was not keeping my settings that I would enter. A complete rebuild of the tunnel did the trick and kept the ACL updates. Must be related to the 8.2 - 8.4 upgrade. Thanks for pointing that out... I looked right through it, thinking they were set.
07-17-2012 12:10 PM
Theo,
Perfect news
Look forward to hearing back from you in the future!
Have a good one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide