Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
398
Views
0
Helpful
2
Replies
Highlighted
omar.elmohri
Beginner
Beginner
‎09-15-2010 02:00 AM
‎09-15-2010 02:00 AM

VPN site 2 site though remote access

Hi,

I'm running VPN between two sites using 2 ASA 5505.

Also I want that RA-VPN which is hosted in both ASA.

My need is to remove one of the RA-VPN access and keep only one, but need to be able to reach the second site.

I did a split-tunnel with  both LANs. But I still not able to get the route in my computer when I connect to the RA-VPN.

Is it possible? And how?

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Jennifer Halim
Cisco Employee
Cisco Employee
‎09-15-2010 05:33 AM
‎09-15-2010 05:33 AM

A few things that needs to be configured for remote access vpn to access the remote site-to-site vpn LAN:

1) On the site-to-site tunnel crypto ACL, it needs to include the remote vpn client ip pool subnet as follows:

On the ASA that terminates the vpn client: permit ip

On the remote ASA that terminates the site-to-site tunnel: permit ip

2) On the ASA that terminates the vpn client: same-security-traffic permit intra interface

3) On the remote ASA that terminates the site-to-site tunnel: NAT exemption ACL needs to include traffic from remote LAN towards the IP Pool subnet.

Plus the split tunnel ACL that includes both subnets which I believe you already configured.

Hope that helps.

View solution in original post

0 Helpful
Reply
2 REPLIES 2
Highlighted
Jennifer Halim
Cisco Employee
Cisco Employee
‎09-15-2010 05:33 AM
‎09-15-2010 05:33 AM

A few things that needs to be configured for remote access vpn to access the remote site-to-site vpn LAN:

1) On the site-to-site tunnel crypto ACL, it needs to include the remote vpn client ip pool subnet as follows:

On the ASA that terminates the vpn client: permit ip

On the remote ASA that terminates the site-to-site tunnel: permit ip

2) On the ASA that terminates the vpn client: same-security-traffic permit intra interface

3) On the remote ASA that terminates the site-to-site tunnel: NAT exemption ACL needs to include traffic from remote LAN towards the IP Pool subnet.

Plus the split tunnel ACL that includes both subnets which I believe you already configured.

Hope that helps.

View solution in original post

0 Helpful
Reply
Highlighted
omar.elmohri
Beginner
Beginner
In response to Jennifer Halim
‎09-15-2010 06:25 AM
‎09-15-2010 06:25 AM

I was missing N03

And that's TRUE, I have to include it on the s2s link.

Thanks

0 Helpful
Reply
Latest Contents
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:48 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:46 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 01-15-2021 06:09 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Serious problem with Object Groups + Access Policies in FMC
Created by mhmservice on 01-15-2021 04:31 AM
0
0
0
0
Hi allI've been having a major problem with Object Groups in FMC access policiesIf I have a pre-existing line in a policy with an Object Group which contains a list of IPs, if I add an additional IP to that object group, then deploy, the traffic is still ... view more
No cts dot1x command in interface configuration mode
Created by tanzhy on 01-14-2021 01:49 AM
3
0
3
0
Anyone know why there are no cts dot1x command in interface configure mode?I  just find cts manual and cts role-based command      Hardware is  C9300-48PSoftware is   Cisco IOS XE Software, Version 16.12.04License i... view more
Content for Community-Ad