i am able to connect to my ASA5510 via remote VPN client. i can also access the network inside but cound not able to get access the network across the tunnel.
PLEASE HAVE LOOK AT THE CONFIG
tunnel-group Remotevpn type remote-accesstunnel-group Remotevpn general-attributesaddress-pool VPN_POOLdefault-group-policy Remotevpntunnel-group Remotevpn ipsec-attributes pre-shared-key *
group-policy Remotevpn internalgroup-policy Remotevpn attributes wins-server value 220.127.116.11 dns-server value 18.104.22.168 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value
test_splitTunnelAcl default-domain value corporation.com client-access-rule nonegroup-policy any internal
group-policy any attributes vpn-tunnel-protocol l2tp-ipsec svc split-tunnel-network-list value split_any address-pools value VPN_POOL
ip local pool VPN_POOL 22.214.171.124-126.96.36.199 mask 255.255.255.0
access-list test_splitTunnelAcl standard permit 188.8.131.52 255.255.255.0 access-list test_splitTunnelAcl standard permit 192.15.1. 255.255.0.0(NETWORK ACROSS TUNNEL)
It will be sinpler to change the acl like this:
access-list test_splitTunnelAcl extended permit 184.108.40.206 255.255.255.0 220.127.116.11 255.255.0.0
However, this is probably not the cause of your problem.
You also need to make sure this traffic is exempted from the nat process:
This sounds like a nonat issue. Can you please post the NAT configuration?
You did create the statements to not NAT the traffic going over the tunnel, correct?
Sent from Cisco Technical Support iPad App
Please check the following points:
1- The remote network is defined in the split-tunneling ACL, which is a standard ACL.
2- If there is not NAT settings on the outside interface (VPN termination interface) then any NONAT rule is required.
3- Make sure that traffic from the VPN pool to the remote network is allowed to traverse the LAN-to-LAN tunnel, both sites of the tunnel should have this traffic defined in the encryption domain.
4- The remote FW should include the traffic from its internal network to the VPN pool in the NONAT rule.
5- Make sure you have the "same-security-traffic permit intra-interface" command to allow u-turning.
6- In order to ping without the need of any extra ACL on the outside interface please add the ICMP inspection.
Please review them and let me know what your thoughts are.
Thanks in advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: