cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
0
Helpful
5
Replies

Remote VPN ! site-to-site

curt-wwwww
Level 1
Level 1

Remoe VPN client cannot get across L2L (site-to-site) tunnel after making connection.

Topology:

[remote]->[ASA1]-><L2L}->[ASA2]->LAN2

The problem is at the remote client, which is using Cisco VPN client.

Remote client connection is made fine to [ASA1].

Problem is that remote client does not know route to network LAN2 and dumps traffic off to its default gateway rather than directing it to [ASA1] for forwarding to [ASA2]. ([ASA1] and [ASA2], of course, know about each other.)

Cisco VPN client has capability of being "told" subsequent routes (Status->statistics->Route details).

As I see it, the client must get this info from the ASA to which it makes its remote VPN connection.

The advice I am hoping for is the CLI or ASDM syntax I need to apply to get the ASA to provide this route information.

TIA

5 Replies 5

acomiskey
Level 10
Level 10

curt,

As long as you are not split tunneling the traffic from the client it should arrive at ASA1. Then it is up to ASA1 to send the traffic over the tunnel to ASA2. You must define this traffic as interesting in ASA1 and ASA2.

ASA1

access-list extended permit ip

ASA2

access-list extended permit ip

You also need to add nat exemption on ASA2 for the vpn client subnet.

ASA2

access-list extended permit ip

Also, add this to ASA1

ASA1

same-security-traffic permit intra-interface

Adam, thank you for the comprehensive reply ... unfortunately it's not working.

1. The statements you list above were already there to facilitate the L2L.

2. I turned-off split tunneling (or think I did) and ran a test ... no joy.

This took me back to my original premise that the remote client doesn't know how to send the traffic (bound for L2L) down the remote tunnel and dumps it of to its default gateway (to the WWW).

If you're willing to look at it, I have attached screen shots of the client ipconfig and the Cisco VPN client - showing its routes.

The ipconfig seems to say that the remote connection has its default gateway, and the tunnel has none.

The VPN client screen shows it knows a route (192.168.5.0/24) to the ASA, but nothing beyond. The ASA does, in fact, know about the network (10.64.0.0/16) at the other end of the L2L.

As I see it, if I can find a way to get the ASA to advertise this route to the VPN client, the problem might be solved. The client will then know to forward the traffic to the ASA instead of dumping it to the default gateway.

TIA

Just set your split tunnel to tunnel all or add the 10.64.0.0/16 network to your split tunnel acl.

Your current split tunnel acl probably looks something like...

access-list split_tunnel permit ip x.x.x.x x.x.x.x 192.168.5.0 255.255.255.0

just add...

access-list split_tunnel permit ip x.x.x.x x.x.x.x 10.64.0.0 255.255.0.0

10.64.0.0/16 should then be listed in the secured routes.

I really appreciate the effort you have gone thru.

I did discover what you list here over the weekend by sledgehammer method. The routes are listed, but I still can't get connection.

By viewing debug, I can see the traffic now getting to the ASA (instead of lost) but nothing comes back. Additional sledgehammering, I tried NAT exemptions, etc. to no avail.

You've been more helpful than TAC, who hasn't gotten me as far as your advice.

Fortunately, I can work around the problem by severing the VPN connection and making a new one to the other end ... it's just inconvenient.

Again, thanks for the help. I'm just going to ask TAC for an escalation.

Post the configs from the 2 ASA's if you get a chance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: