10-30-2011 01:46 PM
Hi ,
We have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3 ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.
Is there any solution to make this thing live.
Shankar.
Solved! Go to Solution.
10-30-2011 09:27 PM
There are a few things that need to be added for this to work:
1) On the ASA where remote vpn users are connecting to, you would need to add "same-security-traffic permit intra-interface"
2) You mention that you have added the remote site-to-site LAN in the split tunnel list, so that is good.
3) On the ASA that terminates the remote access vpn, you also need to add the following:
- Crypto ACL for the site-to-site VPN needs to include the following:
access-list
4) On the remote site-to-site ASA, you would need to add:
- Crypto ACL for the site-to-site VPN needs to include the following:
access-list
- No-Nat: access-list
11-01-2011 07:51 AM
Hi Jennifer and Arun,
At last after fullisade of trail and error i got the icmp respose from remote vpn to the distant end of site-site vpn.All the four steps by jennifer did well, but the missing part is the issurance of the command
same-security-traffic permit intra-interface.
https://supportforums.cisco.com/thread/2030063 thread helped me to find this our.
Thanks and Regards
Shankar
10-30-2011 09:27 PM
There are a few things that need to be added for this to work:
1) On the ASA where remote vpn users are connecting to, you would need to add "same-security-traffic permit intra-interface"
2) You mention that you have added the remote site-to-site LAN in the split tunnel list, so that is good.
3) On the ASA that terminates the remote access vpn, you also need to add the following:
- Crypto ACL for the site-to-site VPN needs to include the following:
access-list
4) On the remote site-to-site ASA, you would need to add:
- Crypto ACL for the site-to-site VPN needs to include the following:
access-list
- No-Nat: access-list
10-31-2011 12:45 PM
Let us know if you would like to see an example config. Currently traveling, but could in the next few days edit and post our config to give you an example to work off of. I believe it was Jennifer here who in fact helped when I had the very same problem. Seems confusing at first, but once everything is in place it all comes together to make sense.
11-01-2011 07:05 AM
Hi Jennifer,
I tried the four steps which you mentioned, but again i failed.Did you got this working in ASA .
11-01-2011 07:25 AM
Hi Shankar,
This seems like a clear case of hairpinning to me. The only thing missing seems to be the "distant end of the site" reverse route towards the remote vpn users at this end.
Hope NAT is not involved, else it gets a little bit more trickier.
HTH
Cheers
Arun
11-01-2011 07:51 AM
Hi Jennifer and Arun,
At last after fullisade of trail and error i got the icmp respose from remote vpn to the distant end of site-site vpn.All the four steps by jennifer did well, but the missing part is the issurance of the command
same-security-traffic permit intra-interface.
https://supportforums.cisco.com/thread/2030063 thread helped me to find this our.
Thanks and Regards
Shankar
11-01-2011 08:00 AM
Oops, I missed that point Shankar.
11-01-2011 04:07 PM
Shankar,
If you read Jennnifer's post carefully, her first point was about same-security-traffic permit intra-interface
HTH
Kishore
.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: