09-12-2010 05:47 PM
I have Two ASA 5505's setup in a site to site VPN which works perfectly. Now I also need to have remote client VPN access with the Cisco VPN dialer to the 1st site. I can get the VPN dialer to connect the the VPN and get a VPN IP address, but I have no access to the remote network. can someone take a look and see what I am missing? I have attached the ASA running config.
Solved! Go to Solution.
09-13-2010 05:27 AM
Apologize for the misunderstanding.
To access the 10.10.100.x subnet from remote vpn client, the vpn-filter ACL is the other way round.
Please kindly swap the following ACL:
FROM:
access-list outside_cryptomapVPN extended permit ip any 10.10.20.0 255.255.255.224
TO:
access-list outside_cryptomapVPN extended permit ip 10.10.20.0 255.255.255.224 any
Hope that helps.
09-12-2010 06:00 PM
The configuration hasn't included VPN access from remote VPN client towards the remote network via the site-to-site VPN.
There are a few things that need to be added/modified to this ASA as follows:
Add the following:
access-list outside_20_cryptomap extended permit ip 10.10.20.0 255.255.255.0 192.168.100.0 255.255.255.0
same-security-traffic permit intra-interface
access-list DSILREMOTE_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
Modify the following:
no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 1000 ipsec-isakmp dynamic outside_dyn_map
VPN Client dynamic crypto map can't be on the lowest sequence number hence updating it from seq# of 10 to 1000.
On the remote ASA, you would need to also add the following:
1) Mirror image crypto ACL on the site-to-site VPN to include the above:
permit ip 192.168.100.0 255.255.255.0 10.10.20.0 255.255.255.0
2) NAT exemption ACL to include the following:
permit ip 192.168.100.0 255.255.255.0 10.10.20.0 255.255.255.0
Hope that helps.
09-12-2010 07:00 PM
Thanks for the reply.
I changed the Seq # on the dynamic map to 1000 and that has not seemed to do anything for me.
As for the 192.168.100.0 network, I do not need the remote VPN dialer users to get to that Network.
I have two sites:
Site 1 : 10.10.100.x
Site 2: 192.168.100. x
remote VPN users using the VPN Dialer need access to Site 1.
Right now, the Site to Site VPN between Site 1 and Site 2 works perfectly, the VPN Client will connect, but I cannot see Site 1 LAN devices, such as the server which is 10.10.100.25.
Any other suggestions?
09-13-2010 05:27 AM
Apologize for the misunderstanding.
To access the 10.10.100.x subnet from remote vpn client, the vpn-filter ACL is the other way round.
Please kindly swap the following ACL:
FROM:
access-list outside_cryptomapVPN extended permit ip any 10.10.20.0 255.255.255.224
TO:
access-list outside_cryptomapVPN extended permit ip 10.10.20.0 255.255.255.224 any
Hope that helps.
09-13-2010 09:46 AM
Perfect.... Thanks so much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide