Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1042
Views
0
Helpful
1
Replies

Cisco ASA5505 VPN remote-access user cannot connect to other site-to-site subnet

cmorley
Level 1
Level 1

‎07-17-2012 10:38 AM - edited ‎02-21-2020 06:12 PM

Hi, I am connecting to a ASA5505 at from home to the head-office using L2TP VPN.

Head-office then has a connection to other-office via a site-to-site IPSEC tunnel.

When in the head-office (192.168.100.0/24) I can ping/access remote-office (192.168.200.0/24) OK.

When connected remotely to head-office, I can ping/access head-office OK from the road-warrior laptop.

My problem is that when connected remotely from home to the head-office I cannot ping/access the other-office subnet.

On the home laptop the L2TP VPN connection is set to route all traffic to the VPN connection using the HQ as the internet gateway I can confirm this works.

I cant do traceroute (I get timeouts) as my policy doesnt allow and not sure how to enable this properly on the ASA.

Any ideas what is wrong?

Thanks in advance, config is below:

names
name 192.168.200.0 othersite
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 34.35.36.3 255.255.255.252
!
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 othersite 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 othersite 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.100.0 255.255.255.0
access-list outside_in_acl extended permit icmp any any echo-reply
access-list outside_in_acl extended permit tcp any interface outside eq smtp
ip local pool VPNLAN 192.168.100.210-192.168.100.240 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.100.0 255.255.255.0
nat (outside) 1 192.168.100.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.100.3 smtp netmask 255.255.255.255
access-group outside_in_acl in interface outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.100.3
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNLAN
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group 40.35.36.122 type ipsec-l2l
tunnel-group 40.35.36.122 ipsec-attributes
 pre-shared-key *****
Labels:
0 Helpful
1 Reply 1

Javier Portuguez
Level 9
Level 9

‎07-17-2012 12:30 PM

Greetings,

To accomplish this please make the following changes:

1- Add a NONAT entry to on the outside interface to avoid the NAT translation (nat (outside) 1 192.168.100.0 255.255.255.0), this NAT will include an access-list permitting traffic from the VPN pool to the remote LAN-to-LAN network.

2- Add the remote network to the VPN Split-ACL.

Please check this out:


access-list nonat_outside permit ip 192.168.100.0 255.255.255.0 remote_network netmask

nat (outside) 0 access-list nonat_outside

!

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit remote_network netmask

Let me know

* Please rate any post that you find helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents