Remote VPN Problem

hai_nit2 · ‎10-02-2008

Hi,

my issue is, after I connect from outside to my office network thru cisco VPN client,I am not able to access or ping my USA site to site VPN tunnel IP.I attached my configuration .

for your quick response Thanks in Advance.

Nitin

singhsaju · ‎10-02-2008

Nitin,

If i understand you correctly , you are trying to access remote private network through site to site tunnel. If yes , then you will have to modify Crypto ACL to permit VPN client traffic . Mirror image of this ACL will have to added to Crypto ACL at remote end also.

access-list A_Tunnel extended permit 192.168.3.0 255.255.255.0 host 169.1.1.1

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.1.2.11

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 169.1.24.0 255.255.255.0

access-list A_Tunnel extended permit 192.168.3.0 255.255.255.0 host 169.10.33.58

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.11.99.11

access-list A_Tunnel extended permit 192.168.3.0 255.255.255.0 169.14.246.0 255.255.255.0

HTH

Saju

Pls rate helpful posts

hai_nit2 · ‎10-02-2008

Hi Saju,

Thanks,

I will clear u my whole nw , I have one site to site tunnel for my USA client, tht IP is 169.X.X.X . from office we access that tunnel. now I configured remote vpn for my home users, my office inside ip is 192.168.2.X and once I connect to home thru cisco vpn client then my ip is 192.168.3.X which I set IP pool in ASA , now 192.168.3.X and 192.168.2.X is communicating properly, but I need to access my Tunnel IP 169.1.X.X also from 192.168.3.X(Home).

202.92.X.X is my static public Ip which is permitted in the client side for the tunnel.

Thanks,

Nitin

singhsaju · ‎10-03-2008

Hi Nitin,

You will have to permit 169.1.X.X in the split tunnel access list and also in the Crypto ACL of site to site tunnel as i have mentioned in my previous post. Also you will have to mirror those Crypto ACL on the the remote vpn device for site to site tunnel.

Since you already have "same-security-traffic permit intra-interface" the traffic from VPN client will be redirected to site to site tunnel and will not be NAT'ed to public ip (202.92.X.X).So the source of the packet would be the vpn pool ip and not public ip .

HTH

Saju

Pls rate helpful posts

hai_nit2 · ‎10-04-2008

I am very very Thanks to you for giving me a time . I created Crypto acl according to your above mail .but Saju Still I am not able to access tunnel Ip (169.14.1.0/24) from my home . I am sending my current config again wht I did change according your suggession. please once again you chack and let me know if thr any hopes ;-).

Thanks again

Nitin

hai_nit2 · ‎10-14-2008

Thanks Saju, but please anyone other can help me regarding my abouve mentioned matter it would be great.

Thanks for your kindly support.

Nitin

singhsaju · ‎10-15-2008

Hello Nitin,

You are still missing following lines in your config :

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 169.14.1.0 255.255.255.0

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.10.1.1

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.11.2.1

You have to add mirror image of these ACL statements on the remote L2L VPN device also.

HTH

Saju

Pls rate helpful posts