Another Remote Access VPN to Site-to-Site VPN Thread

Answered Question
Aug 2nd, 2007

Another Remote Access VPN to Site-to-Site VPN Thread

Hello all, I?m trying to give my Cisco VPN Client remote users access to our branch office which is connected successfully to the main office via a site-to-site VPN tunnel.

VPN IP Pool: 10.0.2.0

Main Office: 10.0.1.0

Branch Office: 192.168.0.0

After reading the threads here I?ve implemented the following:

Head Firewall: (ASA5510, 7.1.2, 5.12)

same−security−traffic permit intra−interface

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

add branch network to split tunnel

Remote Firewall: (PIX 501, 6.3.5, 3.0.4)

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

add vpn pool to nat exemption acl

While viewing debug I can see the ASA building TCP connections to the branch office network, but I don?t get any connection or action on the remote firewall.

Any ideas? Relevant configuration is attached.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 5 months ago

The two statements below are the same acl.

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

The config looks ok to me. On the remote 501 you should have something like this

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

crypto map newmap 10 match address 100

Is that about what you have?

Have you rebooted the 501?

Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Thu, 08/02/2007 - 12:22

The two statements below are the same acl.

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

The config looks ok to me. On the remote 501 you should have something like this

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

crypto map newmap 10 match address 100

Is that about what you have?

Have you rebooted the 501?

Please rate helpful posts.

LouisBHirst Thu, 08/02/2007 - 13:12

Reload of the 501 was a good call. I'm pretty sure that fixed it.

Thanks!

Actions

This Discussion