Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
0
Helpful
4
Replies

remote access can not access the recources across the site to site tunnels

bittoo
Level 1
Level 1

‎08-02-2011 07:50 AM

Hi,

i am able to connect to my ASA5510 via remote VPN client. i can also access the network inside but cound not able to get access the network across the tunnel.

please suggest

thanks

Labels:
0 Helpful
4 Replies 4

bittoo
Level 1
Level 1

‎08-02-2011 08:04 AM

PLEASE HAVE LOOK AT THE CONFIG

tunnel-group Remotevpn type remote-access
tunnel-group Remotevpn general-attributes
address-pool VPN_POOL
default-group-policy Remotevpn
tunnel-group Remotevpn ipsec-attributes
pre-shared-key *

group-policy Remotevpn internal
group-policy Remotevpn attributes
wins-server value 192.14.1.1
dns-server value 192.14.1.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value

test_splitTunnelAcl
default-domain value corporation.com
client-access-rule none
group-policy any internal

group-policy any attributes
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-network-list value split_any
address-pools value VPN_POOL

ip local pool VPN_POOL 192.14.1.30-192.14.1.50 mask 255.255.255.0

access-list test_splitTunnelAcl standard permit 192.14.1.0 255.255.255.0
access-list test_splitTunnelAcl standard permit 192.15.1. 255.255.0.0(NETWORK ACROSS TUNNEL)

0 Helpful

lgijssel
Level 9
Level 9
In response to bittoo

‎08-04-2011 03:27 AM

It will be sinpler to change the acl like this:

access-list test_splitTunnelAcl extended permit 192.14.1.0 255.255.255.0 192.15.0.0 255.255.0.0

However, this is probably not the cause of your problem.

You also need to make sure this traffic is exempted from the nat process:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html

regards,

Leo

0 Helpful

tj.mitchell
Level 4
Level 4
In response to bittoo

‎08-07-2011 01:32 PM

This sounds like a nonat issue. Can you please post the NAT configuration?

You did create the statements to not NAT the traffic going over the tunnel, correct?

Sent from Cisco Technical Support iPad App

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to tj.mitchell

‎08-21-2011 09:03 PM

Hi,

Please check the following points:

1- The remote network is defined in the split-tunneling ACL, which is a standard ACL.

2- If there is not NAT settings on the outside interface (VPN termination interface) then any NONAT rule is required.

3- Make sure that traffic from the VPN pool to the remote network is allowed to traverse the LAN-to-LAN tunnel, both sites of the tunnel should have this traffic defined in the encryption domain.

4- The remote FW should include the traffic from its internal network to the VPN pool in the NONAT rule.

5- Make sure you have the "same-security-traffic permit intra-interface" command to allow u-turning.

6- In order to ping without the need of any extra ACL on the outside interface please add the ICMP inspection.

Please review them and let me know what your thoughts are.

Thanks in advance.

0 Helpful
Customers Also Viewed These Support Documents