Solved: Remote-access VPN and S2S VPN

john · ‎05-22-2011

Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.

I've seen several threads about that here, I've run through the walkthrough at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml ... I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.

Remote-access (vpn-houston) uses 192.168.69.0/24.

The main site (houston) uses 10.0.0.0/24

The remote site (lugoff) uses 10.0.1.0/24

Could I get some fresh eyes on my configs and maybe point out where I've gone wrong?

Thanks ...

Roman Rodichev · ‎05-22-2011

at first glance, you are missing "same-security-traffic permit intra-interface" in houston

you are also missing this in houston:

access-list nonat extended permit ip vpn-houston 255.255.255.0 lugoff 255.255.255.0

and this:

access-list outside_cryptomap_1 extended permit ip vpn-houston 255.255.255.0 lugoff 255.255.255.0

and you need to remove second unnecessary crypto map 3 from lugoff, remove these:

no crypto map outside_map 3 match address outside_cryptomap_3

no crypto map outside_map 3 set pfs

no crypto map outside_map 3 set peer 75.148.248.81

no crypto map outside_map 3 set transform-set ESP-3DES-SHA

let us know how it goes

View solution in original post

andamani · ‎05-24-2011

Hi,

Please remove the following statements from the config:

Houston ASA:

access-list nonat extended permit ip lugoff 255.255.255.0 vpn-houston 255.255.255.0

Lugoff ASA:

access-list inside_nat0_outbound extended permit ip vpn-houston 255.255.255.0 10.0.1.0 255.255.255.0

Bounce the tunnel once. Both the RA VPN and L2L tunnel and try accessing the 10.0.1.0/24 network from the RA VPN.

Let me know how it goes.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

Roman Rodichev · ‎05-22-2011

at first glance, you are missing "same-security-traffic permit intra-interface" in houston

you are also missing this in houston:

access-list nonat extended permit ip vpn-houston 255.255.255.0 lugoff 255.255.255.0

and this:

access-list outside_cryptomap_1 extended permit ip vpn-houston 255.255.255.0 lugoff 255.255.255.0

and you need to remove second unnecessary crypto map 3 from lugoff, remove these:

no crypto map outside_map 3 match address outside_cryptomap_3

no crypto map outside_map 3 set pfs

no crypto map outside_map 3 set peer 75.148.248.81

no crypto map outside_map 3 set transform-set ESP-3DES-SHA

let us know how it goes

john · ‎05-23-2011

All good points. I followed your suggestions, but somehow the situation is the same...

I've also compared my configs to configs online that supposedly work, but I still can't tell what's going wrong. I'm convinced it's something dumb and tiny I've overlooked after trying at this for so long...

Latest configs attached. Thanks so much for the help...

andamani · ‎05-24-2011

Hi,

Please remove the following statements from the config:

Houston ASA:

access-list nonat extended permit ip lugoff 255.255.255.0 vpn-houston 255.255.255.0

Lugoff ASA:

access-list inside_nat0_outbound extended permit ip vpn-houston 255.255.255.0 10.0.1.0 255.255.255.0

Bounce the tunnel once. Both the RA VPN and L2L tunnel and try accessing the 10.0.1.0/24 network from the RA VPN.

Let me know how it goes.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

john · ‎05-24-2011

Removed those two lines... no change. :/

john · ‎05-24-2011

Rebooted both routers. SUCCESS!

Thanks to both of you. My squirrelly config and then unneeded nonat entries appear to have been the problem.

Thanks so much!