cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
590
Views
0
Helpful
2
Replies

VPN site 2 site though remote access

omar.elmohri
Level 1
Level 1

Hi,

I'm running VPN between two sites using 2 ASA 5505.

Also I want that RA-VPN which is hosted in both ASA.

My need is to remove one of the RA-VPN access and keep only one, but need to be able to reach the second site.

I did a split-tunnel with  both LANs. But I still not able to get the route in my computer when I connect to the RA-VPN.

Is it possible? And how?

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

A few things that needs to be configured for remote access vpn to access the remote site-to-site vpn LAN:

1) On the site-to-site tunnel crypto ACL, it needs to include the remote vpn client ip pool subnet as follows:

On the ASA that terminates the vpn client: permit ip

On the remote ASA that terminates the site-to-site tunnel: permit ip

2) On the ASA that terminates the vpn client: same-security-traffic permit intra interface

3) On the remote ASA that terminates the site-to-site tunnel: NAT exemption ACL needs to include traffic from remote LAN towards the IP Pool subnet.

Plus the split tunnel ACL that includes both subnets which I believe you already configured.

Hope that helps.

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

A few things that needs to be configured for remote access vpn to access the remote site-to-site vpn LAN:

1) On the site-to-site tunnel crypto ACL, it needs to include the remote vpn client ip pool subnet as follows:

On the ASA that terminates the vpn client: permit ip

On the remote ASA that terminates the site-to-site tunnel: permit ip

2) On the ASA that terminates the vpn client: same-security-traffic permit intra interface

3) On the remote ASA that terminates the site-to-site tunnel: NAT exemption ACL needs to include traffic from remote LAN towards the IP Pool subnet.

Plus the split tunnel ACL that includes both subnets which I believe you already configured.

Hope that helps.

I was missing N03

And that's TRUE, I have to include it on the s2s link.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: