Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Behavior of vpn client connecting to ASA site to site connection

I have connected a remote office using an ASA 5505 to the main office which uses NSA 3500 Sonic Firewall.  I was able to bring up the site-to-site vpn and can ping clients on each end.  I was also looking at configuring vpn client access for employees who travel.  The remote office  behind the ASA has a backup domain controller to store the profiles but the exchange server is at the main office behind the Sonic Firewall.  If I connect a VPN client to the ASA (remote office); the employees can pull their profile; however, they can't access the exchange server.  If they connect to the Sonic Firewall then they can't pull their profiles. People at the main office and remote office have no problem accessing resources.

VPN Client (on the road) --> ASA 5505 (remote office) --> (site-to-site connection)--> Sonic Firewall (main office) --> exchange server

I can ping vpn client to ASA.
I can't ping the exchange server.
People at the remote office can access everything at the main office and vice versa.

Would this be correct behavior?

Cisco Employee

Re: Behavior of vpn client connecting to ASA site to site connec

To access HQ when you are connected to ASA 5505 via VPN Client, you would need to configure the following:

- crypto ACL on the LAN-to-LAN tunnel between ASA and SonicWall should include the VPN Client IP Pool, ie:

     ++ On the ASA, crypto ACL on the LAN-to-LAN tunnel: access-list permit ip

     ++ On Sonicwall, crypto ACL on the LAN-to-LAN tunnel: reverse of the above: access-list permit ip

- On the ASA, should include "same-security-traffic permit intra-interface": to allow traffic in and out of the outside interface.

- If you configure split tunnel for the VPN Client connection, remember to include Sonicwall subnet in your split tunnel list.

- On Sonicwall, you would need to configure NAT exemption for traffic from Sonicwall subnet towards the ASA VPN Client IP Pool subnet.