08-02-2008 05:22 PM
I faced an issue of accessing site site vpn through remote access. the senario as follows:-
i logged into my private network through remote access vpn but I cannot access site to site vpn through it.
I tried alll the options .. any one can guide me... the concept to accessing site to site vpn through remoteaccess vpn... eo we need to have seperate vpn tunnel to site to site vpn... or same site to site can we route into that ooo or pix can route traffic site to site vpn through remote access vpn. Any one can give me the concept.. I just certified CCNA
i WOULD BE greate ful to you
08-02-2008 10:00 PM
first u havnt mentioned the site to site between pix and router or ASA
any way the general idea is
first on the hub vpn termination device(the device that u connect to through ur remote access vpn)
u should have accesst list that match traffic from that network to the other site network
the ACL called interesting taffic
add to this ACL another line that include the vpn remote access Ip address pool range
lets say ur vpn pool is 192.168.1.0/24 and the remote site that u connect to thorugh site to site is 10.1.1.0/24
and the hub private network where u r connecting to through vpn is 20.0.0.0/24
lets say u have already acl like(for our example )
acccess-list 100 permit ip 20.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
add
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
also u should have what is called nat exmption NAT 0
here i am assuming u r using PIX or ASA version 7.x
acccess-list 101 permit ip 20.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
add
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (iside) 0 access-list 101
there is important command that u should add it on the hub firewall to allow the connection inter and exit the same interface which is:
same-security-traffic intra-interface
command in the global configuration mode
now what u have to do on the remote site
is to permit the returning traffic as follow
add a line to the existed vpn ACL as above that going to the hub site
add one sourced from the remote network in our example 20.0.0./24 and going to vpn pool 192.168.1.0/24
laso the same idea do it for the NAT 0
and should work
and the following link will guid u step-by-step to achive ur case
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
if u use router check the following
http://www.cisco.com/en/US/products/ps9403/products_configuration_example09186a00809c7171.shtml
good luck
Please, Rate if helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide