Showing results for 
Search instead for 
Did you mean: 

VPN clients cannot access remote site through site-to-site VPN


I have 2 sites :

site A :

ASA 5510

VPN gateway for remote users


site B :

ASA 5505


Both sites are connected through a site to site VPN.

Remote clients (AnyConnect/VPN client) can connect to Site A LAN  and see machines on LAN A but cannot see Site B LAN.

What do I miss (maybe on both sides) ?

Any help appreciated.

Here is a part of my configuration :

On Site A (ASA 5510)


name SiteA_Internal_Network

name SiteB_Internal_Network

name VPNPool_AnyConnect

name VPNPool_VpnClient

object-group network DM_INLINE_NETWORK_3

network-object VPNPool_AnyConnect

network-object VPNPool_VpnClient

network-object SiteA_Internal_Network

access-list External_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 SiteB_Internal_Network

nat (Internal) 0 access-list Internal_nat0_outbound

nat (Internal) 1 SiteA_Internal_Network

nat (External-DMZ) 0 access-list External-DMZ_nat0_outbound

static (Internal,External-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask

static (Internal,Internal-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask

static (External-DMZ,External) SiteA_ExternalDMZ_Network SiteA_ExternalDMZ_Network netmask

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5


enable External

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 regex "Windows CE"

svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 3 regex "Intel Mac OS X"

svc image disk0:/anyconnect-macosx-powerpc-2.3.0254-k9.pkg 4 regex "PPC Mac OS X"

svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 5 regex "Linux"

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value XXXXXXXXXXXXX

vpn-tunnel-protocol IPSec svc webvpn

ip-comp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-lan

default-domain value XXXXX


  svc keepalive 30

  svc compression none

group-policy TG-ADM internal

group-policy TG-ADM attributes

vpn-tunnel-protocol IPSec

ip-comp disable

group-policy JSIgroup internal

group-policy JSIgroup attributes

vpn-tunnel-protocol IPSec svc webvpn


  url-list none

  svc ask enable

tunnel-group DefaultRAGroup general-attributes

authentication-server-group RADIUS LOCAL

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool POOL-ANYCONNECT

authentication-server-group RADIUS LOCAL

dhcp-server XXXXXXXXXX

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias VPN-ACCESS enable

tunnel-group XXXXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXXXX ipsec-attributes


tunnel-group TG-ADM type remote-access

tunnel-group TG-ADM general-attributes

address-pool POOL-ADM

authentication-server-group RADIUS LOCAL

default-group-policy TG-ADM

tunnel-group TG-ADM ipsec-attributes


On Site B (ASA 5505)


name SiteA_Internal_Network

name AnyConnect

name VPN_Client

object-group network DM_INLINE_NETWORK_2




object-group network DM_INLINE_NETWORK_1




access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1

access-list inside_access_in extended permit ip

access-list inside_access_in extended permit object-group Traffic-Good any

access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_2

access-list outside_access_in extended deny ip any

access-list outside_access_in extended deny ip any

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

27 Replies 27

At Site B it looks like its actually being Nat/PAT out to the internet and not exempt from NAT.  Make sure you have a no nat statement from site B to not allow the traffic to be PAT to the Internet.  On the new 9.x ASA code this is done by the static NATs and no longer done via the NONAT ACLs.  Basically at site by match what you have working for the Site to site VPN (ACL and Static NATs) for the RA VPN subnet and that should push that traffic over the tunnel.  I did this recently for a client and this is what I ended up having to do on their ASA.

Remote Site B (8.2 code)

access-list VPN extended permit ip
access-list NONAT extended permit ip

Main Site A (9.x Code)

access-list outside_cryptomap extended permit ip

I have config the exempt from NAT ,see as bellow:

Site B:

access-list no_nat extended permit ip
access-list no_nat extended permit ip

access-list Office extended permit ip
access-list Office extended permit ip

Site A:

access-list Outside1_cryptomap extended permit ip object Remote_admin object-group Subnets

Is there any other problem?

That looks good.  What version of ASA Code are you running?  If you are running 8.3 and above you will need static NATs

8.3+ code NAT should look something like this.

Site A (interface name may vary for you)

nat (inside,outside) source static Remote_admin Remote_admin destination static SiteBSubNetObject SiteBSubnetObject no-proxy-arp route-lookup

Site B

nat (inside,outside) source static Remote_admin Remote_admin SiteBSubNetObject SiteBSubnetObject destination static Remote_admin Remote_admin no-proxy-arp route-lookup