Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
990
Views
0
Helpful
3
Replies

AnyConnectVPN users cannot access remote office over site-to-site vpn

Go to solution
tmmooney81
Level 1
Level 1

‎07-16-2012 04:24 PM

Hello-

we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.

Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA

When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.

Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.

There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4

Site A internal: 192.160.x.x     External: 55.55.555.201(main)/202(mail)

Site B (over site-to-site) is 192.260.x.x     External: 66.66.666.54(all)

I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.

What do I need to add for the VPN to be able to access the site-to-site network?

Here is my NAT config:

nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup

nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup

!

object network DMZ_Network

nat (DMZ,Outside) dynamic interface

object network DOMAIN_LOCAL

nat (inside,Outside) dynamic interface

object network EXCHANGE_Exchange

nat (any,any) static Outside_Mail

object network DOMAINCTRL_DHCP

nat (inside,Outside) static interface service tcp ftp ftp

Thank you much in advance and I hope I have been thorough enough.

Let me know if you need anything else. Thanks!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎07-16-2012 05:25 PM

Theo,

You do not need any NAT rules on the outside (according to your config) .

You basically need to add the VPN pool to the L2L traffic and the remote network to the split-tunneling ACL (if configured), also the "same-security-traffic permit intra-interface".

Please let me know.

Thanks.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Javier Portuguez
Level 9
Level 9

‎07-16-2012 05:25 PM

Theo,

You do not need any NAT rules on the outside (according to your config) .

You basically need to add the VPN pool to the L2L traffic and the remote network to the split-tunneling ACL (if configured), also the "same-security-traffic permit intra-interface".

Please let me know.

Thanks.

0 Helpful

Go to solution
tmmooney81
Level 1
Level 1
In response to Javier Portuguez

‎07-17-2012 12:06 PM

Thanks! For some reason the ACL was not keeping my settings that I would enter. A complete rebuild of the tunnel did the trick and kept the ACL updates. Must be related to the 8.2 - 8.4 upgrade. Thanks for pointing that out... I looked right through it, thinking they were set.

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to tmmooney81

‎07-17-2012 12:10 PM

Theo,

Perfect news

Look forward to hearing back from you in the future!

Have a good one.

0 Helpful
Customers Also Viewed These Support Documents