Another Remote Access VPN to Site-to-Site VPN Thread

Answered Question
Aug 2nd, 2007
User Badges:

Another Remote Access VPN to Site-to-Site VPN Thread


Hello all, I?m trying to give my Cisco VPN Client remote users access to our branch office which is connected successfully to the main office via a site-to-site VPN tunnel.


VPN IP Pool: 10.0.2.0

Main Office: 10.0.1.0

Branch Office: 192.168.0.0


After reading the threads here I?ve implemented the following:


Head Firewall: (ASA5510, 7.1.2, 5.12)

same−security−traffic permit intra−interface

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

add branch network to split tunnel


Remote Firewall: (PIX 501, 6.3.5, 3.0.4)

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

add vpn pool to nat exemption acl


While viewing debug I can see the ASA building TCP connections to the branch office network, but I don?t get any connection or action on the remote firewall.


Any ideas? Relevant configuration is attached.




Correct Answer by acomiskey about 9 years 9 months ago

The two statements below are the same acl.

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list



The config looks ok to me. On the remote 501 you should have something like this


access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list nonat


access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

crypto map newmap 10 match address 100


Is that about what you have?


Have you rebooted the 501?


Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Thu, 08/02/2007 - 12:22
User Badges:
  • Green, 3000 points or more

The two statements below are the same acl.

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list



The config looks ok to me. On the remote 501 you should have something like this


access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list nonat


access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

crypto map newmap 10 match address 100


Is that about what you have?


Have you rebooted the 501?


Please rate helpful posts.

LouisBHirst Thu, 08/02/2007 - 13:12
User Badges:

Reload of the 501 was a good call. I'm pretty sure that fixed it.


Thanks!

Actions

This Discussion