Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
2
Replies

Connectivity to adjacent networks from remote VPN site

Go to solution
robert.acosta
Level 1
Level 1

‎05-18-2007 11:52 AM

Hub and spoke topology with Corporate office acting as hub (192.168.1.x) and remote sites connected via frame relay, all except another network (172.16.x.x) in the Corporate building connected via 3560 switch.

From my remote vpn site (10.0.1.x) I can ping the 172.16.x.x network, but not the 192.168.1.x network. What i'm trying to do is allow traffic from the remote 10.0.1.x network (that directly connects via VPN to the 172.16.x.x network) to reach the 192.168.1.x network and vise versa.

I'm sure its some combination of NAT/Routing issue that i'm overlooking.

I'm new to PIX/ASA's in general and this is the first L2L vpn that i've setup. If someone can point me in the right direction I would appreciate it.

thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎05-18-2007 12:05 PM

So it looks like this?

10.0.1.x -> L2L tunnel -> Corp. ASA - > 172.16.x.x -> 3560 -> 192.168.1.x

and you can currently communicate over the tunnel between 10.0 and 172.16? To be able to communicate between 10.0 and 192.168.1 you need to specify this as interesting traffic and add it to your crypto and nat exemption acl's.

Corp Site

access-list extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

nat (inside) 0 access-list

Remote Site

access-list extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list

View solution in original post

0 Helpful
2 Replies 2

Go to solution
acomiskey
Level 10
Level 10

‎05-18-2007 12:05 PM

So it looks like this?

10.0.1.x -> L2L tunnel -> Corp. ASA - > 172.16.x.x -> 3560 -> 192.168.1.x

and you can currently communicate over the tunnel between 10.0 and 172.16? To be able to communicate between 10.0 and 192.168.1 you need to specify this as interesting traffic and add it to your crypto and nat exemption acl's.

Corp Site

access-list extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

nat (inside) 0 access-list

Remote Site

access-list extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list

0 Helpful

Go to solution
robert.acosta
Level 1
Level 1
In response to acomiskey

‎05-18-2007 12:33 PM

Thank you. I didn't realize i needed the crypto map & acl for the adjacent network.

All is good.

0 Helpful
Customers Also Viewed These Support Documents