Solved: Hi Paul, That is great, if

paul_brighter · ‎12-10-2014

Cisco ASA5505.

I have a site-to-site tunnel set up from our office to our Amazon AWS VPC. I'm not a network engineer and have spent far too much time just getting to this point.

This works fine from within the office, but remote VPN users cannot access the site-to-site tunnel. All other remote access seems fine.

The current config is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626

Any help or hints would be greatly appreciated. It's probably super simple for some one that knows what they're doing to see the issue.

David Johan Castro Fernandez · ‎12-10-2014

Hi Paul.

Looking at your configuration:

Remote access:

group-policy RA_GROUP internal
group-policy RA_GROUP attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-network-list value Split_Tunnel_List

same-security-traffic permit intra-interface

tunnel-group RA_GROUP type remote-access
tunnel-group RA_GROUP general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_GROUP
tunnel-group RA_GROUP ipsec-attributes
pre-shared-key *****

ip local pool RA_VPN_POOL 10.0.0.10-10.0.0.50 mask 255.255.255.0

Site to site:

crypto map outside_map 1 match address acl-amzn

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP

crypto map outside_map 1 set transform-set transform-amzn

I would recommend you to use an IP local pool with different IP addresses that the inside interface is using, now you are missing NAT exempt from the IP local pool to the destination of the site to site:

access-list NAT_EXEMPT permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0

NAT (outside) 0 access-list NAT_EXEMPT

Now there is a NAT exempt permitting the traffic to go out and not being dynamically translated.

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful Post!

Regards,

David Castro,

View solution in original post

David Johan Castro Fernandez · ‎12-10-2014

Hi Paul.

Looking at your configuration:

Remote access:

group-policy RA_GROUP internal
group-policy RA_GROUP attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-network-list value Split_Tunnel_List

same-security-traffic permit intra-interface

tunnel-group RA_GROUP type remote-access
tunnel-group RA_GROUP general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_GROUP
tunnel-group RA_GROUP ipsec-attributes
pre-shared-key *****

ip local pool RA_VPN_POOL 10.0.0.10-10.0.0.50 mask 255.255.255.0

Site to site:

crypto map outside_map 1 match address acl-amzn

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP

crypto map outside_map 1 set transform-set transform-amzn

I would recommend you to use an IP local pool with different IP addresses that the inside interface is using, now you are missing NAT exempt from the IP local pool to the destination of the site to site:

access-list NAT_EXEMPT permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0

NAT (outside) 0 access-list NAT_EXEMPT

Now there is a NAT exempt permitting the traffic to go out and not being dynamically translated.

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful Post!

Regards,

David Castro,

paul_brighter · ‎12-11-2014

I cannot thank you enough. That did it. Now I just need to do the same for our other VPCs.

I know I need to clean up the address space, but I inherited some of this mess and wanted to make minimal changes until I got it working then double back and clean up.

David Johan Castro Fernandez · ‎12-11-2014

Hi Paul,

That is great, if you have any questions let me know please!!

Have a great week!

Regards,

David Castro,

Remote VPN users cannot access site-to-site tunnel