Remote access and site to site on the same ASA

Unanswered Question
Apr 27th, 2009
User Badges:

I am using an ASA 5510 for both remote access and site to site VPN. Is there a way for the remote access clients to access the remote sites via the site to site tunnels? I have included the IP address range of the remote access clients in the crypto maps for the site to site tunnels but their traffic appears to be blocked. I suppose I could set up a second ASA to handle just the remote access users but I would prefer to avoid the expense if possible.


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
DialerString_2 Mon, 04/27/2009 - 11:00
User Badges:
  • Bronze, 100 points or more

Are the acl configure correctly and are you permitting the traffic on the remote end? You wont need that second ASA, I have this setup in my network now. Are you using RRI for the site to site? Reverse route injection.

jhankin Mon, 04/27/2009 - 11:14
User Badges:

The ACLs appear to be working fine. I am passing IP traffic for all of the configured subnets with the exception of the remote access subnet. I have both ends of the tunnel configured with the RA subnet in the crypto map. I am not using reverse route injection. Actually I am not at all familiar with it. Do you think this is where I should start looking?


Thanks


DialerString_2 Mon, 04/27/2009 - 11:22
User Badges:
  • Bronze, 100 points or more

RRI only injects a static route in the ASA routing table and removes it when the tunnel is down.


Can you provide a show run access-list, show run nat, sh run crypto and a sh run tunnel?


Can you paste the acl from the other side?

DialerString_2 Tue, 04/28/2009 - 10:43
User Badges:
  • Bronze, 100 points or more

Where is your pool of addresses for:


address-pool RemoteAccPool

DialerString_2 Tue, 04/28/2009 - 10:51
User Badges:
  • Bronze, 100 points or more

Your dynamic-map sequence number should always be higher than the static crypto maps.


You may want to start them at 6000 you can have up to 65535, and the number is optional

jhankin Tue, 04/28/2009 - 12:04
User Badges:

The pool of addresses for remote access is 172.25.25.1 to 172.25.25.254. This is the address pool referred to by RemoteAccPool. I have confirmed that this range of addresses is in the ACLs on both ends of the tunnel. This is were I first started looking when the traffic would not pass once the tunnel was established.


Thanks


Actions

This Discussion