cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1315
Views
0
Helpful
3
Replies

Can't access site-to-site VPN from remote VPN

benlemasurier
Level 1
Level 1

Internal Network:     192.168.0.0/16

Remote VPN Clients:   192.168.0.100-192.168.0.254

Remote (L2L) Network: 10.10.10.0/26


Remote VPN Clients are able to access the internal network without issue, but are unable to access the remote 10.10.10.0 network. Is there a way to debug this? `packet-tracer` show no issues..

1 Accepted Solution

Accepted Solutions

rizwanr74
Level 7
Level 7

Hi Ben,

Please create a no-nat on the outside interface, because your remote-vpn clients and remote-L2L tunnels are located on outside the interface (i.e. coming off the outside).  You have to treate your outside network same as your inside network, as you would create a no-nat for your inside networks.

The ACL you create for no-nat outside must be for both directions as below.

access-list outside_nat0 extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.192

access-list outside_nat0 extended permit ip 10.10.10.0 255.255.255.192 192.168.0.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

same-security-traffic permit intra-interface

Pls let me know, if that helps.

Thanks

Rizwan Rafeek

View solution in original post

3 Replies 3

Jason Gervia
Cisco Employee
Cisco Employee

Is this on an ASA or a router? 

At a minimum, you would need the following:

1)  If using split tunneling - the 10.10.10.0/26 network needs to be put in the split tunnel ACL so the clients get a route to the 10.10.10.0/26 network.

2)  make sure 192.168.0.100-0.254 are allowed across the L2L tunnel (assuming you are not allowing the 192.168.0.0/16 across the tunnel and are only allowing specific networks)

3)  If this is an ASA, make sure you have the 'same-security-traffic permit intra-interface' to allow traffic to go in and out the same interface - assuming your remote access clients and L2L tunnel are terminating on the same interface

4)  Make sure there are no NAT issues with traffic going from the VPN clients to the 10.10.10.0/26 network

5)   Check any access-control lists.

rizwanr74
Level 7
Level 7

Hi Ben,

Please create a no-nat on the outside interface, because your remote-vpn clients and remote-L2L tunnels are located on outside the interface (i.e. coming off the outside).  You have to treate your outside network same as your inside network, as you would create a no-nat for your inside networks.

The ACL you create for no-nat outside must be for both directions as below.

access-list outside_nat0 extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.192

access-list outside_nat0 extended permit ip 10.10.10.0 255.255.255.192 192.168.0.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

same-security-traffic permit intra-interface

Pls let me know, if that helps.

Thanks

Rizwan Rafeek

HI Rizwan,

That's basically exactly what I needed: