07-06-2007 08:48 AM - edited 02-21-2020 03:08 PM
We have a remote access VPN and a site-to-site VPN. Both work fine except that clients of the remote access VPN can not access hosts on the site-to-site VPN.
We are 10.5.5.0
Site-to-Site VPN goes to 10.2.2.0
Remote access clients can access anything on 10.5.5.0 but nothing on 10.2.2.0.
What needs to be done to allow this to happen?
07-06-2007 09:04 AM
Is this ASA/PIX 7?
You need to add the traffic between the lans to the nat exemption and crypto acls on the firewalls.
Headend Firewall
same-security-traffic permit intra-interface
access-list
Remote Firewall
access-list
access-list
Also, if you are split tunnelling you need to add the remote subnet to be tunneled.
Please rate helpful posts.
07-06-2007 09:18 AM
BTW, realized I was using the wrong account.
Thank you!
PIX 506E (6.3) is local, PIX 515E (7.0) is remote.
I am getting "Command failed" when I attempt to execute:
same-security-traffic permit intra-interface
Thoughts?
07-06-2007 09:30 AM
Sorry, it won't work that way with pix 6.
07-06-2007 09:33 AM
Is there another option besides using two different remote access VPNs for each client?
07-06-2007 09:42 AM
Not that I know of. The problem is version 6 will not let you u turn traffic out the same interface it arrived on. It would work if the version 7 was headend and version 6 was at remote site.
07-06-2007 11:17 AM
Is it possible to upgrade the v. 6 to v. 7?
07-06-2007 11:20 AM
The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.
07-06-2007 09:44 AM
Hi
Do you have a router behind your Pix 506 or is it just a single subnet behind the pix ?
Jon
07-06-2007 11:16 AM
Just a single subnet behind the PIX.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide