cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26331
Views
20
Helpful
27
Replies

VPN clients cannot access remote site through site-to-site VPN

Hello,

I have 2 sites :

site A :

ASA 5510

VPN gateway for remote users

LAN 192.168.192.0/22

site B :

ASA 5505

LAN 192.168.208.0/22

Both sites are connected through a site to site VPN.

Remote clients (AnyConnect/VPN client) can connect to Site A LAN  and see machines on LAN A but cannot see Site B LAN.

What do I miss (maybe on both sides) ?

Any help appreciated.

Here is a part of my configuration :

On Site A (ASA 5510)

--------------------------------

name 192.168.192.0 SiteA_Internal_Network

name 192.168.208.0 SiteB_Internal_Network

name 192.168.133.0 VPNPool_AnyConnect

name 192.168.133.32 VPNPool_VpnClient

object-group network DM_INLINE_NETWORK_3

network-object VPNPool_AnyConnect 255.255.255.224

network-object VPNPool_VpnClient 255.255.255.224

network-object SiteA_Internal_Network 255.255.252.0

access-list External_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 SiteB_Internal_Network 255.255.252.0

nat (Internal) 0 access-list Internal_nat0_outbound

nat (Internal) 1 SiteA_Internal_Network 255.255.252.0

nat (External-DMZ) 0 access-list External-DMZ_nat0_outbound

static (Internal,External-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0

static (Internal,Internal-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0

static (External-DMZ,External) SiteA_ExternalDMZ_Network SiteA_ExternalDMZ_Network netmask 255.255.255.240

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

webvpn

enable External

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 regex "Windows CE"

svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 3 regex "Intel Mac OS X"

svc image disk0:/anyconnect-macosx-powerpc-2.3.0254-k9.pkg 4 regex "PPC Mac OS X"

svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 5 regex "Linux"

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value XXXXXXXXXXXXX

vpn-tunnel-protocol IPSec svc webvpn

ip-comp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-lan

default-domain value XXXXX

webvpn

  svc keepalive 30

  svc compression none

group-policy TG-ADM internal

group-policy TG-ADM attributes

vpn-tunnel-protocol IPSec

ip-comp disable

group-policy JSIgroup internal

group-policy JSIgroup attributes

vpn-tunnel-protocol IPSec svc webvpn

webvpn

  url-list none

  svc ask enable

tunnel-group DefaultRAGroup general-attributes

authentication-server-group RADIUS LOCAL

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool POOL-ANYCONNECT

authentication-server-group RADIUS LOCAL

dhcp-server XXXXXXXXXX

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias VPN-ACCESS enable

tunnel-group XXXXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXXXX ipsec-attributes

pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXX

tunnel-group TG-ADM type remote-access

tunnel-group TG-ADM general-attributes

address-pool POOL-ADM

authentication-server-group RADIUS LOCAL

default-group-policy TG-ADM

tunnel-group TG-ADM ipsec-attributes

pre-shared-key XXXXXXXXXXXXXXXXXXXXXX

On Site B (ASA 5505)

-------------------------------

name 192.168.192.0 SiteA_Internal_Network

name 192.168.133.32 AnyConnect

name 192.168.133.0 VPN_Client

object-group network DM_INLINE_NETWORK_2

network-object 192.168.133.0 255.255.255.224

network-object 192.168.133.32 255.255.255.224

network-object 192.168.192.0 255.255.252.0

object-group network DM_INLINE_NETWORK_1

network-object 192.168.133.0 255.255.255.224

network-object 192.168.133.32 255.255.255.224

network-object 192.168.192.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_1

access-list inside_access_in extended permit ip 192.168.208.0 255.255.252.0 192.168.192.0 255.255.252.0

access-list inside_access_in extended permit object-group Traffic-Good 192.168.208.0 255.255.252.0 any

access-list outside_cryptomap_1 extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_2

access-list outside_access_in extended deny ip any 192.168.208.0 255.255.252.0

access-list outside_access_in extended deny ip any 192.168.192.0 255.255.252.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

27 Replies 27

At Site B it looks like its actually being Nat/PAT out to the internet and not exempt from NAT.  Make sure you have a no nat statement from site B to not allow the traffic to be PAT to the Internet.  On the new 9.x ASA code this is done by the static NATs and no longer done via the NONAT ACLs.  Basically at site by match what you have working for the Site to site VPN (ACL and Static NATs) for the RA VPN subnet and that should push that traffic over the tunnel.  I did this recently for a client and this is what I ended up having to do on their ASA.

Remote Site B (8.2 code)

access-list VPN extended permit ip 10.46.1.0 255.255.255.0 10.41.9.0 255.255.0.0
access-list NONAT extended permit ip 10.46.1.0 255.255.255.0 10.41.9.0 255.255.255.0

Main Site A (9.x Code)

access-list outside_cryptomap extended permit ip 10.41.9.0 255.255.255.0 10.46.1.0 255.255.255.0

I have config the exempt from NAT ,see as bellow:

Site B:

access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0

access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0

Site A:

access-list Outside1_cryptomap extended permit ip object Remote_admin object-group Subnets

Is there any other problem?

That looks good.  What version of ASA Code are you running?  If you are running 8.3 and above you will need static NATs

8.3+ code NAT should look something like this.

Site A (interface name may vary for you)

nat (inside,outside) source static Remote_admin Remote_admin destination static SiteBSubNetObject SiteBSubnetObject no-proxy-arp route-lookup

Site B

nat (inside,outside) source static Remote_admin Remote_admin SiteBSubNetObject SiteBSubnetObject destination static Remote_admin Remote_admin no-proxy-arp route-lookup