Remote Access VPN to Site-to-Site VPN

Unanswered Question
Jul 6th, 2007

We have a remote access VPN and a site-to-site VPN. Both work fine except that clients of the remote access VPN can not access hosts on the site-to-site VPN.

We are 10.5.5.0

Site-to-Site VPN goes to 10.2.2.0

Remote access clients can access anything on 10.5.5.0 but nothing on 10.2.2.0.

What needs to be done to allow this to happen?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 07/06/2007 - 09:04

Is this ASA/PIX 7?

You need to add the traffic between the lans to the nat exemption and crypto acls on the firewalls.

Headend Firewall

same-security-traffic permit intra-interface

access-list extended permit ip 10.2.2.0 255.255.255.0

Remote Firewall

access-list extended permit ip 10.2.2.0 255.255.255.0

access-list extended permit ip 10.2.2.0 255.255.255.0

Also, if you are split tunnelling you need to add the remote subnet to be tunneled.

Please rate helpful posts.

pmolaughlin Fri, 07/06/2007 - 09:18

BTW, realized I was using the wrong account.

Thank you!

PIX 506E (6.3) is local, PIX 515E (7.0) is remote.

I am getting "Command failed" when I attempt to execute:

same-security-traffic permit intra-interface

Thoughts?

pmolaughlin Fri, 07/06/2007 - 09:33

Is there another option besides using two different remote access VPNs for each client?

acomiskey Fri, 07/06/2007 - 09:42

Not that I know of. The problem is version 6 will not let you u turn traffic out the same interface it arrived on. It would work if the version 7 was headend and version 6 was at remote site.

acomiskey Fri, 07/06/2007 - 11:20

The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.

Jon Marshall Fri, 07/06/2007 - 09:44

Hi

Do you have a router behind your Pix 506 or is it just a single subnet behind the pix ?

Jon

Actions

This Discussion