site to site VPN through remote access vpn

Unanswered Question
Aug 2nd, 2008

I faced an issue of accessing site site vpn through remote access. the senario as follows:-

i logged into my private network through remote access vpn but I cannot access site to site vpn through it.

I tried alll the options .. any one can guide me... the concept to accessing site to site vpn through remoteaccess vpn... eo we need to have seperate vpn tunnel to site to site vpn... or same site to site can we route into that ooo or pix can route traffic site to site vpn through remote access vpn. Any one can give me the concept.. I just certified CCNA

i WOULD BE greate ful to you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/02/2008 - 22:00

first u havnt mentioned the site to site between pix and router or ASA

any way the general idea is

first on the hub vpn termination device(the device that u connect to through ur remote access vpn)

u should have accesst list that match traffic from that network to the other site network

the ACL called interesting taffic

add to this ACL another line that include the vpn remote access Ip address pool range

lets say ur vpn pool is 192.168.1.0/24 and the remote site that u connect to thorugh site to site is 10.1.1.0/24

and the hub private network where u r connecting to through vpn is 20.0.0.0/24

lets say u have already acl like(for our example )

acccess-list 100 permit ip 20.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

add

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

also u should have what is called nat exmption NAT 0

here i am assuming u r using PIX or ASA version 7.x

acccess-list 101 permit ip 20.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

add

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (iside) 0 access-list 101

there is important command that u should add it on the hub firewall to allow the connection inter and exit the same interface which is:

same-security-traffic intra-interface

command in the global configuration mode

now what u have to do on the remote site

is to permit the returning traffic as follow

add a line to the existed vpn ACL as above that going to the hub site

add one sourced from the remote network in our example 20.0.0./24 and going to vpn pool 192.168.1.0/24

laso the same idea do it for the NAT 0

and should work

and the following link will guid u step-by-step to achive ur case

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

if u use router check the following

http://www.cisco.com/en/US/products/ps9403/products_configuration_example09186a00809c7171.shtml

good luck

Please, Rate if helpful

Actions

This Discussion