cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
889
Views
0
Helpful
4
Replies
bittoo
Beginner

remote access can not access the recources across the site to site tunnels

Hi,

i am able to connect to my ASA5510 via remote VPN client. i can also access the network inside but cound not able to get access the network across the tunnel.

please suggest

thanks

4 REPLIES 4
bittoo
Beginner

PLEASE HAVE LOOK AT THE CONFIG

tunnel-group Remotevpn type remote-access
tunnel-group Remotevpn general-attributes
address-pool VPN_POOL
default-group-policy Remotevpn
tunnel-group Remotevpn ipsec-attributes
pre-shared-key *

group-policy Remotevpn internal
group-policy Remotevpn attributes
wins-server value 192.14.1.1
dns-server value 192.14.1.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value

test_splitTunnelAcl
default-domain value corporation.com
client-access-rule none
group-policy any internal

group-policy any attributes
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-network-list value split_any
address-pools value VPN_POOL

ip local pool VPN_POOL 192.14.1.30-192.14.1.50 mask 255.255.255.0

access-list test_splitTunnelAcl standard permit 192.14.1.0 255.255.255.0
access-list test_splitTunnelAcl standard permit 192.15.1. 255.255.0.0(NETWORK ACROSS TUNNEL)

It will be sinpler to change the acl like this:

access-list test_splitTunnelAcl extended permit 192.14.1.0 255.255.255.0 192.15.0.0 255.255.0.0

However, this is probably not the cause of your problem.

You also need to make sure this traffic is exempted from the nat process:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html

regards,

Leo

This sounds like a nonat issue. Can you please post the NAT configuration?

You did create the statements to not NAT the traffic going over the tunnel, correct?

Sent from Cisco Technical Support iPad App

Hi,

Please check the following points:

1- The remote network is defined in the split-tunneling ACL, which is a standard ACL.

2- If there is not NAT settings on the outside interface (VPN termination interface) then any NONAT rule is required.

3- Make sure that traffic from the VPN pool to the remote network is allowed to traverse the LAN-to-LAN tunnel, both sites of the tunnel should have this traffic defined in the encryption domain.

4- The remote FW should include the traffic from its internal network to the VPN pool in the NONAT rule.

5- Make sure you have the "same-security-traffic permit intra-interface" command to allow u-turning.

6- In order to ping without the need of any extra ACL on the outside interface please add the ICMP inspection.

Please review them and let me know what your thoughts are.

Thanks in advance.

Create
Recognize Your Peers
Content for Community-Ad