Solved: Re: Problem with VPN users reaching other side of site to site VPN

AriNina · ‎01-30-2025

I recognize that this is probably poor site design but it's what I have to work with.

I have a main office with subnet 192.168.15.0/24.

There's a site to site VPN with a partner site (I don't own the firewall on their side) with subnet 10.2.22.0/24. There are no issues with users accessing resources on each side.

I have users connecting to my main site with Secure Client. Here's where I think the problem is. They are issued IP addresses in the same range as the main site users so 192.168.15.0/24.

The remote users can access the main site resources fine but they cannot reach any of the resources on the other side of the site to site tunnel.

Is there any way that I can fix this without creating a new address pool for the Secure Client users? The reason is that I don't own that firewall on the other end of the site to site tunnel and it is difficult for me to get them to add a new subnet to their rules.

I have that command "same-security-traffic permit intra-interface" on my main site firewall. Not sure I needed it though.

Thanks

Flavio Miranda · ‎01-30-2025

@AriNina

Have you consider to use NAT?

View solution in original post

Flavio Miranda · ‎01-30-2025

@AriNina

Have you consider to use NAT?

AriNina · ‎01-30-2025

To be honest I'm not very good at Cisco stuff. I inherited the infrastructure and I'm able to get around a bit.

Can you give a brief idea of how NAT would work in this scenario?

Flavio Miranda · ‎01-30-2025

Sure. What firewall do you have and which IOS version It runs?

AriNina · ‎01-30-2025

My main site has an FPR1010. Software is 9.19(1).

AriNina · ‎01-30-2025

I figured it out

I read something about nat exemption and created a rule (using ASDM because my CLI skills are poor) and traffic is flowing now.

Thank your help. Your hint about NAT helped me.

Flavio Miranda · ‎01-31-2025

Glad to hear Man. I would suggest the same thing.

You rock It.