VPN users can't access network on L2L tunnel

Answered Question
Dec 6th, 2008
User Badges:

We have a VPN concentrator that has a L2L connection that connects our office with another location. We also have users connect into our office using the Cisco client. There has recently been a need for the users to VPN and access a network on the L2L tunnel but they can't access it. I'm having problems wrapping my head around what I need to do to allow this. Since they are both terminating at the concentrator it seems that the concentrator should know how to handle the traffic.


Correct Answer by ajagadee about 8 years 7 months ago

Hi,


Have you included the VPN Pool of IP Addresses in the Lan to Lan Tunnel Interesting Traffic. Also, make sure that the remote site IPSEC ACL's and routing are updated after you make the changes on your side.


Regards,

Arul


*Pls rate if it helps*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
andrew.prince@m... Tue, 12/09/2008 - 02:09
User Badges:
  • Green, 3000 points or more

Bascially, AFAIK the concentrator will not allow VPN clients to access the L2L network unless specifically configured. There is a solution on PIX/ASA called "Hair-pinning" Not sure if you can do this in a concentrator.


HTH>

Correct Answer
ajagadee Tue, 12/09/2008 - 07:54
User Badges:
  • Cisco Employee,

Hi,


Have you included the VPN Pool of IP Addresses in the Lan to Lan Tunnel Interesting Traffic. Also, make sure that the remote site IPSEC ACL's and routing are updated after you make the changes on your side.


Regards,

Arul


*Pls rate if it helps*

John Blakley Tue, 12/09/2008 - 12:06
User Badges:
  • Purple, 4500 points or more

Let's say that your VPN users get:


192.168.100.0


And


your L2L users are on the:


10.10.10.0


You will need to configure your group policy for the dial-in users to be able to access the 10.10.10.0 network. If they tunnel everything, this won't be a problem. Now, you will need to change the ACL on the other end of the L2L tunnel, and allow them to get to the 10.10.10.0 network. What I suspect is happening is that the VPN clients are getting to the L2L side, but the traffic is dropping because the L2L side doesn't know how to get back to your VPN client.


You'll need to change the ACL on the client end of the L2L tunnel and the tunnel policy that the concentrator uses to allow the VPN clients range.


HTH,


John

Actions

This Discussion