08-02-2011 07:50 AM
Hi,
i am able to connect to my ASA5510 via remote VPN client. i can also access the network inside but cound not able to get access the network across the tunnel.
please suggest
thanks
08-02-2011 08:04 AM
PLEASE HAVE LOOK AT THE CONFIG
tunnel-group Remotevpn type remote-access
tunnel-group Remotevpn general-attributes
address-pool VPN_POOL
default-group-policy Remotevpn
tunnel-group Remotevpn ipsec-attributes
pre-shared-key *
group-policy Remotevpn internal
group-policy Remotevpn attributes
wins-server value 192.14.1.1
dns-server value 192.14.1.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
test_splitTunnelAcl
default-domain value corporation.com
client-access-rule none
group-policy any internal
group-policy any attributes
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-network-list value split_any
address-pools value VPN_POOL
ip local pool VPN_POOL 192.14.1.30-192.14.1.50 mask 255.255.255.0
access-list test_splitTunnelAcl standard permit 192.14.1.0 255.255.255.0
access-list test_splitTunnelAcl standard permit 192.15.1. 255.255.0.0(NETWORK ACROSS TUNNEL)
08-04-2011 03:27 AM
It will be sinpler to change the acl like this:
access-list test_splitTunnelAcl extended permit 192.14.1.0 255.255.255.0 192.15.0.0 255.255.0.0
However, this is probably not the cause of your problem.
You also need to make sure this traffic is exempted from the nat process:
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html
regards,
Leo
08-07-2011 01:32 PM
This sounds like a nonat issue. Can you please post the NAT configuration?
You did create the statements to not NAT the traffic going over the tunnel, correct?
Sent from Cisco Technical Support iPad App
08-21-2011 09:03 PM
Hi,
Please check the following points:
1- The remote network is defined in the split-tunneling ACL, which is a standard ACL.
2- If there is not NAT settings on the outside interface (VPN termination interface) then any NONAT rule is required.
3- Make sure that traffic from the VPN pool to the remote network is allowed to traverse the LAN-to-LAN tunnel, both sites of the tunnel should have this traffic defined in the encryption domain.
4- The remote FW should include the traffic from its internal network to the VPN pool in the NONAT rule.
5- Make sure you have the "same-security-traffic permit intra-interface" command to allow u-turning.
6- In order to ping without the need of any extra ACL on the outside interface please add the ICMP inspection.
Please review them and let me know what your thoughts are.
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide