cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
737
Views
0
Helpful
1
Replies

Cannot for the life of me get remote VPN clients to be able to use site to site VPNs (ASA 5506's)

Pete Johnstone
Level 1
Level 1

So this has been going on for weeks now, I have a client that we set up with two ASA 5506's to add to the one that they already had configured.  All 3 are in separate physical locations, site to site VPN's are established and working.

All three ASA's are also configured for remote VPN clients, and all of them can be accessed via Anyconnect, IPSec client, etc. and gain access to the network behind whichever ASA they connect to. 

However, when connected via VPN clients cannot connect to the other sites, in other words they can't use the site to site VPN tunnels from their client.  If they were to ssh into a machine on the internal network, they could then access remote machines via the site to site VPN, hence the site to site VPN's work fine for anything coming from the internal networks.

Hairpinning is enabled, however I've been troubleshooting this for more hours than I can even remember, and have spent a little time with Cisco support whose suggestions have not helped either up to this point (have been unable to get in touch with them today, will continue trying).  This is such a time critical thing and has been going on for so long with no end in sight, that I'm desperately looking for help anywhere I can get it at this point, hence the post.

Here's what I think are relevant pieces of the config on the one ASA I'm trying to get working (it's not being used so I can work on it without fear of disrupting anyone).:

Inside network (Site1):  192.168.0.0

VPN/Anyconnect pool (Site1):  192.168.1.0

Remote Network (Site2): 192.168.2.0

same-security-traffic permit intra-interface

access-list Split_Tunnel extended permit ip object-group SplitTunnel any

object-group network SplitTunnel

network-object 192.168.0.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

access-list L2LSite1ToSite2 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list L2LSite1ToSite2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (outside,outside) source static Site1_VPN_Pool Site1_VPN_Pool destination static Site2_network Site2_network no-proxy-arp route-lookup

I "think" this is the important stuff regarding my issue, if you need more of the config I'm happy to provide more.  Essentially the only thing Cisco support has suggested so far was adding the above nat (outside,outside) statement, as I did not have that in there initially.  Unfortunately it didn't fix the issue, but it needed to be in there I guess.

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

Your split tunnel is wrong from the above statement. It is missing the remote network - 192.168.2.0/24. Without this, the client won't even send that traffic to the ASA.

View solution in original post

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

Your split tunnel is wrong from the above statement. It is missing the remote network - 192.168.2.0/24. Without this, the client won't even send that traffic to the ASA.