Communicating between remote access VPN subnets

jgorman1977 · ‎07-30-2008

I have two remote vpn subnets that need to communicate. I have my access list as

access-list No-NAT extended permit ip 172.16.140.0 255.255.255.0 172.18.3.0 255.255.255.0, however this does not seem to do the trick. Could these VPN's be terminating on different interfaces such as one external, one DMZ?

Thanks in advance

Olivier Jessel · ‎07-30-2008

hi,

Have you also setup an ACL allowing the traffic to this remote subnet 172.18.3.0/24 ?

CCIE #44658

jgorman1977 · ‎07-30-2008

I do have the ACL

access-list Internal line 40 extended permit ip 172.16.0.0 255.255.0.0 172.18.3.0 255.255.255.128 (hitcnt=0) 0x92cd7baf

Thanks

Olivier Jessel · ‎07-30-2008

no hitcount... are you sure that any previous statement of this ACL doesn't deny the traffic ?

Is your VPN up ? ipsec or GRE ?

CCIE #44658

jgorman1977 · ‎07-30-2008

Both are IPSec and both are up. The 172.16.140.0/24 subnet is our VPN client subnet to the ASA and the 172.18.3.0/24 subnet are Cisco 871's terminating to the ASA.

Olivier Jessel · ‎07-30-2008

if I right understand, both are remote...

Have you configured split-tunneling ?

CCIE #44658

jgorman1977 · ‎07-30-2008

Yes, they are both remote. I have the following split-tunnel acl:

access-list Indy-Remote_splitTunnelAcl_1 line 28 extended permit ip 172.18.0.0 255.255.0.0 172.16.140.0 255.255.255.0 (hitcnt=0) 0x5a58ce89

The main issue is i have users on the 172.18 subnet using IP communicator trying to contact users on the 172.16 subnet also using IP communicator. They cannot hear each other. The Call Manager server is located with the ASA, so I wouldn't think there would be enough delay to the packets to cause this issue.

Thanks again.