Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnectVPN users cannot access remote office over site-to-site vpn

Hello-

we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.

Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA

When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.

Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.

There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4

Site A internal: 192.160.x.x     External: 55.55.555.201(main)/202(mail)

Site B (over site-to-site) is 192.260.x.x     External: 66.66.666.54(all)

I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.

What do I need to add for the VPN to be able to access the site-to-site network?

Here is my NAT config:

nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup

nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup

!

object network DMZ_Network

nat (DMZ,Outside) dynamic interface

object network DOMAIN_LOCAL

nat (inside,Outside) dynamic interface

object network EXCHANGE_Exchange

nat (any,any) static Outside_Mail

object network DOMAINCTRL_DHCP

nat (inside,Outside) static interface service tcp ftp ftp

Thank you much in advance and I hope I have been thorough enough.

Let me know if you need anything else. Thanks!!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AnyConnectVPN users cannot access remote office over site-to

Theo,

You do not need any NAT rules on the outside (according to your config) .

You basically need to add the VPN pool to the L2L traffic and the remote network to the split-tunneling ACL (if configured), also the "same-security-traffic permit intra-interface".

Please let me know.

Thanks.

3 REPLIES

Re: AnyConnectVPN users cannot access remote office over site-to

Theo,

You do not need any NAT rules on the outside (according to your config) .

You basically need to add the VPN pool to the L2L traffic and the remote network to the split-tunneling ACL (if configured), also the "same-security-traffic permit intra-interface".

Please let me know.

Thanks.

New Member

AnyConnectVPN users cannot access remote office over site-to-sit

Thanks! For some reason the ACL was not keeping my settings that I would enter. A complete rebuild of the tunnel did the trick and kept the ACL updates. Must be related to the 8.2 - 8.4 upgrade. Thanks for pointing that out... I looked right through it, thinking they were set.

AnyConnectVPN users cannot access remote office over site-to-sit

Theo,

Perfect news

Look forward to hearing back from you in the future!

Have a good one.

506
Views
0
Helpful
3
Replies