cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
901
Views
0
Helpful
3
Replies

Remote VPN users cannot access site-to-site tunnel

paul_brighter
Beginner
Beginner

Cisco ASA5505.

I have a site-to-site tunnel set up from our office to our Amazon AWS VPC.  I'm not a network engineer and have spent far too much time just getting to this point.

This works fine from within the office, but remote VPN users cannot access the site-to-site tunnel.  All other remote access seems fine.

The current config is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626

Any help or hints would be greatly appreciated.  It's probably super simple for some one that knows what they're doing to see the issue.

1 Accepted Solution

Accepted Solutions

Hi Paul.

 

 

Looking at your configuration:

Remote access:

group-policy RA_GROUP internal
group-policy RA_GROUP attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec 
 split-tunnel-network-list value Split_Tunnel_List

 
 same-security-traffic permit intra-interface
 
 tunnel-group RA_GROUP type remote-access
tunnel-group RA_GROUP general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_GROUP
tunnel-group RA_GROUP ipsec-attributes
 pre-shared-key *****
 
 ip local pool RA_VPN_POOL 10.0.0.10-10.0.0.50 mask 255.255.255.0
 

Site to site:

 


 
crypto map outside_map 1 match address acl-amzn
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP
crypto map outside_map 1 set transform-set transform-amzn
 
 
I would recommend you to use an IP local pool with different IP addresses that the inside interface is using, now you are missing NAT exempt from the IP local pool to the destination of the site to site:
 
access-list NAT_EXEMPT permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0
 
NAT (outside) 0 access-list NAT_EXEMPT
 
Now there is a NAT exempt permitting the traffic to go out and not being dynamically translated.
 
Let me know how it works out!
 
Please don't forget to rate and mark as correct the helpful Post!
 
Regards,
 
David Castro,
 
 

 

 

 

View solution in original post

3 Replies 3

Hi Paul.

 

 

Looking at your configuration:

Remote access:

group-policy RA_GROUP internal
group-policy RA_GROUP attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec 
 split-tunnel-network-list value Split_Tunnel_List

 
 same-security-traffic permit intra-interface
 
 tunnel-group RA_GROUP type remote-access
tunnel-group RA_GROUP general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_GROUP
tunnel-group RA_GROUP ipsec-attributes
 pre-shared-key *****
 
 ip local pool RA_VPN_POOL 10.0.0.10-10.0.0.50 mask 255.255.255.0
 

Site to site:

 


 
crypto map outside_map 1 match address acl-amzn
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP
crypto map outside_map 1 set transform-set transform-amzn
 
 
I would recommend you to use an IP local pool with different IP addresses that the inside interface is using, now you are missing NAT exempt from the IP local pool to the destination of the site to site:
 
access-list NAT_EXEMPT permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0
 
NAT (outside) 0 access-list NAT_EXEMPT
 
Now there is a NAT exempt permitting the traffic to go out and not being dynamically translated.
 
Let me know how it works out!
 
Please don't forget to rate and mark as correct the helpful Post!
 
Regards,
 
David Castro,
 
 

 

 

 

I cannot thank you enough.  That did it.  Now I just need to do the same for our other VPCs.

 

I know I need to clean up the address space, but I inherited some of this mess and wanted to make minimal changes until I got it working then double back and clean up.

Hi Paul,

 

That is great, if you have any questions let me know please!!

 

Have a great week!

 

Regards,

David Castro,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers