Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
10
Helpful
3
Replies

VPN users can't access network on L2L tunnel

Go to solution
netadmin
Level 1
Level 1

‎12-06-2008 07:22 AM

We have a VPN concentrator that has a L2L connection that connects our office with another location. We also have users connect into our office using the Cisco client. There has recently been a need for the users to VPN and access a network on the L2L tunnel but they can't access it. I'm having problems wrapping my head around what I need to do to allow this. Since they are both terminating at the concentrator it seems that the concentrator should know how to handle the traffic.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-09-2008 07:54 AM

Hi,

Have you included the VPN Pool of IP Addresses in the Lan to Lan Tunnel Interesting Traffic. Also, make sure that the remote site IPSEC ACL's and routing are updated after you make the changes on your side.

Regards,

Arul

*Pls rate if it helps*

View solution in original post

0 Helpful
3 Replies 3

Go to solution
andrew.prince
Level 10
Level 10

‎12-09-2008 02:09 AM

Bascially, AFAIK the concentrator will not allow VPN clients to access the L2L network unless specifically configured. There is a solution on PIX/ASA called "Hair-pinning" Not sure if you can do this in a concentrator.

HTH>

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-09-2008 07:54 AM

Hi,

Have you included the VPN Pool of IP Addresses in the Lan to Lan Tunnel Interesting Traffic. Also, make sure that the remote site IPSEC ACL's and routing are updated after you make the changes on your side.

Regards,

Arul

*Pls rate if it helps*

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎12-09-2008 12:06 PM

Let's say that your VPN users get:

192.168.100.0

And

your L2L users are on the:

10.10.10.0

You will need to configure your group policy for the dial-in users to be able to access the 10.10.10.0 network. If they tunnel everything, this won't be a problem. Now, you will need to change the ACL on the other end of the L2L tunnel, and allow them to get to the 10.10.10.0 network. What I suspect is happening is that the VPN clients are getting to the L2L side, but the traffic is dropping because the L2L side doesn't know how to get back to your VPN client.

You'll need to change the ACL on the client end of the L2L tunnel and the tunnel policy that the concentrator uses to allow the VPN clients range.

HTH,

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents