cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
12
Helpful
7
Replies

Routing a Site-site VPN to Remote VPN users

Shankar Murali
Beginner
Beginner

Hi ,

   We have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3  ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between  remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.

                   Is there any solution to make this thing live.

Shankar.

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

There are a few things that need to be added for this to work:

1) On the ASA where remote vpn users are connecting to, you would need to add "same-security-traffic permit intra-interface"

2) You mention that you have added the remote site-to-site LAN in the split tunnel list, so that is good.

3) On the ASA that terminates the remote access vpn, you also need to add the following:

- Crypto ACL for the site-to-site VPN needs to include the following:

access-list permit ip

4) On the remote site-to-site ASA, you would need to add:

- Crypto ACL for the site-to-site VPN needs to include the following:

access-list permit ip

- No-Nat: access-list permit ip

View solution in original post

Shankar Murali
Beginner
Beginner

Hi Jennifer and Arun,

  At last after fullisade of trail and error i got the icmp respose from remote vpn to the distant end of site-site vpn.All the four steps by jennifer  did well, but the missing part is the issurance of the command

same-security-traffic permit intra-interface.

https://supportforums.cisco.com/thread/2030063  thread helped me to find this our.

Thanks and Regards

Shankar

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

There are a few things that need to be added for this to work:

1) On the ASA where remote vpn users are connecting to, you would need to add "same-security-traffic permit intra-interface"

2) You mention that you have added the remote site-to-site LAN in the split tunnel list, so that is good.

3) On the ASA that terminates the remote access vpn, you also need to add the following:

- Crypto ACL for the site-to-site VPN needs to include the following:

access-list permit ip

4) On the remote site-to-site ASA, you would need to add:

- Crypto ACL for the site-to-site VPN needs to include the following:

access-list permit ip

- No-Nat: access-list permit ip

Let us know if you would like to see an example config. Currently traveling, but could in the next few days edit and post our config to give you an example to work off of. I believe it was Jennifer here who in fact helped when I had the very same problem. Seems confusing at first, but once everything is in place it all comes together to make sense.

Hi Jennifer,

   I tried the four steps which you mentioned, but again i failed.Did you got this working in ASA .

Hi Shankar,

This seems like a clear case of hairpinning to me. The only thing missing seems to be the "distant end of the site" reverse route towards the remote vpn users at this end.

Hope NAT is  not involved, else it gets a little bit more trickier.

HTH

Cheers

Arun

Shankar Murali
Beginner
Beginner

Hi Jennifer and Arun,

  At last after fullisade of trail and error i got the icmp respose from remote vpn to the distant end of site-site vpn.All the four steps by jennifer  did well, but the missing part is the issurance of the command

same-security-traffic permit intra-interface.

https://supportforums.cisco.com/thread/2030063  thread helped me to find this our.

Thanks and Regards

Shankar

Oops, I missed that point Shankar.

Shankar,

If you read Jennnifer's post carefully, her first point was about same-security-traffic permit intra-interface

HTH

Kishore

.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: