Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Another Remote Access VPN to Site-to-Site VPN Thread

Another Remote Access VPN to Site-to-Site VPN Thread

Hello all, I?m trying to give my Cisco VPN Client remote users access to our branch office which is connected successfully to the main office via a site-to-site VPN tunnel.

VPN IP Pool: 10.0.2.0

Main Office: 10.0.1.0

Branch Office: 192.168.0.0

After reading the threads here I?ve implemented the following:

Head Firewall: (ASA5510, 7.1.2, 5.12)

same−security−traffic permit intra−interface

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

add branch network to split tunnel

Remote Firewall: (PIX 501, 6.3.5, 3.0.4)

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

add vpn pool to nat exemption acl

While viewing debug I can see the ASA building TCP connections to the branch office network, but I don?t get any connection or action on the remote firewall.

Any ideas? Relevant configuration is attached.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Another Remote Access VPN to Site-to-Site VPN Thread

The two statements below are the same acl.

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

The config looks ok to me. On the remote 501 you should have something like this

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

crypto map newmap 10 match address 100

Is that about what you have?

Have you rebooted the 501?

Please rate helpful posts.

3 REPLIES
Green

Re: Another Remote Access VPN to Site-to-Site VPN Thread

The two statements below are the same acl.

add vpn pool to interesting traffic on tunnel

add vpn pool to crypo access list

The config looks ok to me. On the remote 501 you should have something like this

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.2.0 255.255.255.0

crypto map newmap 10 match address 100

Is that about what you have?

Have you rebooted the 501?

Please rate helpful posts.

Green

Re: Another Remote Access VPN to Site-to-Site VPN Thread

..and here's the doc depicting your exact situation.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Please rate helpful posts.

New Member

Re: Another Remote Access VPN to Site-to-Site VPN Thread

Reload of the 501 was a good call. I'm pretty sure that fixed it.

Thanks!

150
Views
0
Helpful
3
Replies
CreatePlease to create content