VPN site 2 site though remote access

Answered Question
Sep 15th, 2010
User Badges:

Hi,


I'm running VPN between two sites using 2 ASA 5505.

Also I want that RA-VPN which is hosted in both ASA.


My need is to remove one of the RA-VPN access and keep only one, but need to be able to reach the second site.


I did a split-tunnel with  both LANs. But I still not able to get the route in my computer when I connect to the RA-VPN.


Is it possible? And how?

Correct Answer by Jennifer Halim about 6 years 6 months ago

A few things that needs to be configured for remote access vpn to access the remote site-to-site vpn LAN:

1) On the site-to-site tunnel crypto ACL, it needs to include the remote vpn client ip pool subnet as follows:

On the ASA that terminates the vpn client: permit ip

On the remote ASA that terminates the site-to-site tunnel: permit ip


2) On the ASA that terminates the vpn client: same-security-traffic permit intra interface


3) On the remote ASA that terminates the site-to-site tunnel: NAT exemption ACL needs to include traffic from remote LAN towards the IP Pool subnet.


Plus the split tunnel ACL that includes both subnets which I believe you already configured.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 09/15/2010 - 05:33
User Badges:
  • Cisco Employee,

A few things that needs to be configured for remote access vpn to access the remote site-to-site vpn LAN:

1) On the site-to-site tunnel crypto ACL, it needs to include the remote vpn client ip pool subnet as follows:

On the ASA that terminates the vpn client: permit ip

On the remote ASA that terminates the site-to-site tunnel: permit ip


2) On the ASA that terminates the vpn client: same-security-traffic permit intra interface


3) On the remote ASA that terminates the site-to-site tunnel: NAT exemption ACL needs to include traffic from remote LAN towards the IP Pool subnet.


Plus the split tunnel ACL that includes both subnets which I believe you already configured.


Hope that helps.

omar.elmohri Wed, 09/15/2010 - 06:25
User Badges:

I was missing N03

And that's TRUE, I have to include it on the s2s link.

Thanks

Actions

This Discussion