Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote access and site to site on the same ASA

I am using an ASA 5510 for both remote access and site to site VPN. Is there a way for the remote access clients to access the remote sites via the site to site tunnels? I have included the IP address range of the remote access clients in the crypto maps for the site to site tunnels but their traffic appears to be blocked. I suppose I could set up a second ASA to handle just the remote access users but I would prefer to avoid the expense if possible.

Thanks

7 REPLIES
New Member

Re: Remote access and site to site on the same ASA

Are the acl configure correctly and are you permitting the traffic on the remote end? You wont need that second ASA, I have this setup in my network now. Are you using RRI for the site to site? Reverse route injection.

New Member

Re: Remote access and site to site on the same ASA

The ACLs appear to be working fine. I am passing IP traffic for all of the configured subnets with the exception of the remote access subnet. I have both ends of the tunnel configured with the RA subnet in the crypto map. I am not using reverse route injection. Actually I am not at all familiar with it. Do you think this is where I should start looking?

Thanks

New Member

Re: Remote access and site to site on the same ASA

RRI only injects a static route in the ASA routing table and removes it when the tunnel is down.

Can you provide a show run access-list, show run nat, sh run crypto and a sh run tunnel?

Can you paste the acl from the other side?

New Member

Re: Remote access and site to site on the same ASA

I have attached the output of the show commands as a text file.

Thanks

New Member

Re: Remote access and site to site on the same ASA

Where is your pool of addresses for:

address-pool RemoteAccPool

New Member

Re: Remote access and site to site on the same ASA

Your dynamic-map sequence number should always be higher than the static crypto maps.

You may want to start them at 6000 you can have up to 65535, and the number is optional

New Member

Re: Remote access and site to site on the same ASA

The pool of addresses for remote access is 172.25.25.1 to 172.25.25.254. This is the address pool referred to by RemoteAccPool. I have confirmed that this range of addresses is in the ACLs on both ends of the tunnel. This is were I first started looking when the traffic would not pass once the tunnel was established.

Thanks

318
Views
0
Helpful
7
Replies
CreatePlease login to create content