cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
2
Replies

VPN site 2 site though remote access

omar.elmohri
Level 1
Level 1

Hi,

I'm running VPN between two sites using 2 ASA 5505.

Also I want that RA-VPN which is hosted in both ASA.

My need is to remove one of the RA-VPN access and keep only one, but need to be able to reach the second site.

I did a split-tunnel with  both LANs. But I still not able to get the route in my computer when I connect to the RA-VPN.

Is it possible? And how?

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

A few things that needs to be configured for remote access vpn to access the remote site-to-site vpn LAN:

1) On the site-to-site tunnel crypto ACL, it needs to include the remote vpn client ip pool subnet as follows:

On the ASA that terminates the vpn client: permit ip

On the remote ASA that terminates the site-to-site tunnel: permit ip

2) On the ASA that terminates the vpn client: same-security-traffic permit intra interface

3) On the remote ASA that terminates the site-to-site tunnel: NAT exemption ACL needs to include traffic from remote LAN towards the IP Pool subnet.

Plus the split tunnel ACL that includes both subnets which I believe you already configured.

Hope that helps.

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

A few things that needs to be configured for remote access vpn to access the remote site-to-site vpn LAN:

1) On the site-to-site tunnel crypto ACL, it needs to include the remote vpn client ip pool subnet as follows:

On the ASA that terminates the vpn client: permit ip

On the remote ASA that terminates the site-to-site tunnel: permit ip

2) On the ASA that terminates the vpn client: same-security-traffic permit intra interface

3) On the remote ASA that terminates the site-to-site tunnel: NAT exemption ACL needs to include traffic from remote LAN towards the IP Pool subnet.

Plus the split tunnel ACL that includes both subnets which I believe you already configured.

Hope that helps.

I was missing N03

And that's TRUE, I have to include it on the s2s link.

Thanks