05-22-2011 03:51 PM - edited 02-21-2020 05:21 PM
Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
I've seen several threads about that here, I've run through the walkthrough at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml ... I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24
Could I get some fresh eyes on my configs and maybe point out where I've gone wrong?
Thanks ...
Solved! Go to Solution.
05-22-2011 08:17 PM
at first glance, you are missing "same-security-traffic permit intra-interface" in houston
you are also missing this in houston:
access-list nonat extended permit ip vpn-houston 255.255.255.0 lugoff 255.255.255.0
and this:
access-list outside_cryptomap_1 extended permit ip vpn-houston 255.255.255.0 lugoff 255.255.255.0
and you need to remove second unnecessary crypto map 3 from lugoff, remove these:
no crypto map outside_map 3 match address outside_cryptomap_3
no crypto map outside_map 3 set pfs
no crypto map outside_map 3 set peer 75.148.248.81
no crypto map outside_map 3 set transform-set ESP-3DES-SHA
05-24-2011 06:46 AM
Hi,
Please remove the following statements from the config:
Houston ASA:
access-list nonat extended permit ip lugoff 255.255.255.0 vpn-houston 255.255.255.0
Lugoff ASA:
access-list inside_nat0_outbound extended permit ip vpn-houston 255.255.255.0 10.0.1.0 255.255.255.0
Bounce the tunnel once. Both the RA VPN and L2L tunnel and try accessing the 10.0.1.0/24 network from the RA VPN.
Let me know how it goes.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
05-22-2011 08:17 PM
at first glance, you are missing "same-security-traffic permit intra-interface" in houston
you are also missing this in houston:
access-list nonat extended permit ip vpn-houston 255.255.255.0 lugoff 255.255.255.0
and this:
access-list outside_cryptomap_1 extended permit ip vpn-houston 255.255.255.0 lugoff 255.255.255.0
and you need to remove second unnecessary crypto map 3 from lugoff, remove these:
no crypto map outside_map 3 match address outside_cryptomap_3
no crypto map outside_map 3 set pfs
no crypto map outside_map 3 set peer 75.148.248.81
no crypto map outside_map 3 set transform-set ESP-3DES-SHA
05-23-2011 04:42 PM
All good points. I followed your suggestions, but somehow the situation is the same...
I've also compared my configs to configs online that supposedly work, but I still can't tell what's going wrong. I'm convinced it's something dumb and tiny I've overlooked after trying at this for so long...
Latest configs attached. Thanks so much for the help...
05-24-2011 06:46 AM
Hi,
Please remove the following statements from the config:
Houston ASA:
access-list nonat extended permit ip lugoff 255.255.255.0 vpn-houston 255.255.255.0
Lugoff ASA:
access-list inside_nat0_outbound extended permit ip vpn-houston 255.255.255.0 10.0.1.0 255.255.255.0
Bounce the tunnel once. Both the RA VPN and L2L tunnel and try accessing the 10.0.1.0/24 network from the RA VPN.
Let me know how it goes.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
05-24-2011 09:08 AM
Removed those two lines... no change. :/
05-24-2011 03:25 PM
Rebooted both routers. SUCCESS!
Thanks to both of you. My squirrelly config and then unneeded nonat entries appear to have been the problem.
Thanks so much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide