We currently have a site to site VPN setup between our offices and a 3rd party call center which allows them to access our training environment for their employees to use while being trained on our systems. This tunnel is running between our ASA and their ASA with no problem; however, when we have managers go out to the call center they are unable to use Remote VPN to access our office.
Apparently the same remote peer IP address that we are using for our site to site tunnel is the same IP address that our Managers are using to access the internet when they are on site with the client. When I look at the logs it shows the VPN attempt and then I get Information Exchange processing failed. So from what I can gather when our managers try to connect to our firewall from the same IP as the site to site peer it automatically tries to create a tunnel based on the site to site tunnel information. If our managers are anywhere else they can connect via remote VPN with no problems.
My question is if anyone knows of a way to make the firewall allow both site to site and remote VPN connectivity from the same remote IP address.
Solved! Go to Solution.
if you already have site to site Vpn form your office to the call center office, then why you want your manager to use remote access vpn.
they just simply have to connceted to the local Lan of the call center and then will get access to your office, if there is restriction given then check for those subnets.
what is the Remote peer ip that you are using.
can you please share the config,
I'm unable to open up the site to site tunnel to all of our subnets for security reasons so our manager cannot connect using that tunnel. Currently it only has access to our production servers.
The Remote Peer IP is the outside IP of their ASA and the call center's peer is our outside ASA interface which is the same for the Host IP for the remote VPN profile.
I know that's what is causing the problem so I'm looking for anyone's ideas on how to work around the problem. I cannot post the config at this time because I don't have time to go through and sanitize the config prior to posting, but if someone wants to see a specific part of the config I could try to post that.