site to site VPN through remote access vpn

Unanswered Question
Aug 2nd, 2008
User Badges:

I faced an issue of accessing site site vpn through remote access. the senario as follows:-

i logged into my private network through remote access vpn but I cannot access site to site vpn through it.

I tried alll the options .. any one can guide me... the concept to accessing site to site vpn through remoteaccess vpn... eo we need to have seperate vpn tunnel to site to site vpn... or same site to site can we route into that ooo or pix can route traffic site to site vpn through remote access vpn. Any one can give me the concept.. I just certified CCNA

i WOULD BE greate ful to you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/02/2008 - 22:00
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

first u havnt mentioned the site to site between pix and router or ASA

any way the general idea is

first on the hub vpn termination device(the device that u connect to through ur remote access vpn)

u should have accesst list that match traffic from that network to the other site network

the ACL called interesting taffic

add to this ACL another line that include the vpn remote access Ip address pool range

lets say ur vpn pool is 192.168.1.0/24 and the remote site that u connect to thorugh site to site is 10.1.1.0/24

and the hub private network where u r connecting to through vpn is 20.0.0.0/24


lets say u have already acl like(for our example )


acccess-list 100 permit ip 20.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

add

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0


also u should have what is called nat exmption NAT 0

here i am assuming u r using PIX or ASA version 7.x



acccess-list 101 permit ip 20.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

add

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0


nat (iside) 0 access-list 101


there is important command that u should add it on the hub firewall to allow the connection inter and exit the same interface which is:

same-security-traffic intra-interface

command in the global configuration mode


now what u have to do on the remote site

is to permit the returning traffic as follow


add a line to the existed vpn ACL as above that going to the hub site

add one sourced from the remote network in our example 20.0.0./24 and going to vpn pool 192.168.1.0/24

laso the same idea do it for the NAT 0


and should work


and the following link will guid u step-by-step to achive ur case

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml


if u use router check the following


http://www.cisco.com/en/US/products/ps9403/products_configuration_example09186a00809c7171.shtml


good luck


Please, Rate if helpful

Actions

This Discussion