cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
623
Views
0
Helpful
9
Replies

Remote Access VPN to Site-to-Site VPN

davidcuthbert
Level 1
Level 1

We have a remote access VPN and a site-to-site VPN. Both work fine except that clients of the remote access VPN can not access hosts on the site-to-site VPN.

We are 10.5.5.0

Site-to-Site VPN goes to 10.2.2.0

Remote access clients can access anything on 10.5.5.0 but nothing on 10.2.2.0.

What needs to be done to allow this to happen?

9 Replies 9

acomiskey
Level 10
Level 10

Is this ASA/PIX 7?

You need to add the traffic between the lans to the nat exemption and crypto acls on the firewalls.

Headend Firewall

same-security-traffic permit intra-interface

access-list extended permit ip 10.2.2.0 255.255.255.0

Remote Firewall

access-list extended permit ip 10.2.2.0 255.255.255.0

access-list extended permit ip 10.2.2.0 255.255.255.0

Also, if you are split tunnelling you need to add the remote subnet to be tunneled.

Please rate helpful posts.

BTW, realized I was using the wrong account.

Thank you!

PIX 506E (6.3) is local, PIX 515E (7.0) is remote.

I am getting "Command failed" when I attempt to execute:

same-security-traffic permit intra-interface

Thoughts?

Sorry, it won't work that way with pix 6.

Is there another option besides using two different remote access VPNs for each client?

Not that I know of. The problem is version 6 will not let you u turn traffic out the same interface it arrived on. It would work if the version 7 was headend and version 6 was at remote site.

Is it possible to upgrade the v. 6 to v. 7?

The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.

Hi

Do you have a router behind your Pix 506 or is it just a single subnet behind the pix ?

Jon

Just a single subnet behind the PIX.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: