cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
359
Views
0
Helpful
5
Replies

Routing over site to site tunnel after connecting via remote access

UCcomp2007
Level 2
Level 2

Can someone point me in the right direction.

I have an ASA 5505 setup with both remote access (Anyconnect), as well as a site to site tunnel over to a business partner.

From the outside, I can connect via anyconnect and go anywhere within my internal network. From the inside (when at the office where ASA is at) I can route to any destination on partner side (over site to site tunnel). But what I can't do, is when I connect via remote access from outside, is access the partner side network over the site to site tunnel. Can't ping any address on other side.

u used the vpn wizards to create both remote access and site to site tunnels.

thanks in advance,

1 Accepted Solution

Accepted Solutions

Daniel, sorry for not giving you an example in my previous post which sounds confusing :)

I was able to fine a thread from while back , follow the example , apply the same principle for your anyconnect . should work. if you need help let me know to help you out.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

Jorge Rodriguez

View solution in original post

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

You need to add your RA Pool network in partner's Ipsec tunnel acl policy , and at the same time in your office ASA where you have tunnel to partner and RA vpn allow same in your tunnel policy with partner, meaning you will allow in ASA partnet network to talk to RA network, also using your existing nat exempt rule for Ipsec applied to interface outside where both tunnels come in, that is l2l and RA tunnels, in additional to adding same-security-traffic permit intra-interface statement in office ASA for traffic to partner tunnel goes out and in on same interface where RA tunnel terminates in that office firewall.

regards

Jorge Rodriguez

I ran into a similar problem last Friday except my l2l tunnel could not ping each other. I used the command "nat (outside) 0 access-list 90"

"access-list 90 extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0"

Hope this helps

Daniel, sorry for not giving you an example in my previous post which sounds confusing :)

I was able to fine a thread from while back , follow the example , apply the same principle for your anyconnect . should work. if you need help let me know to help you out.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

Jorge Rodriguez

Thanks Jorge. Worked like a charm. Awesome follow up on your part, thanks for the help.

Regards,

Daniel, glad all worked out.. thanks for the rating.

Regards

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: