Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't access site-to-site VPN from remote VPN

Internal Network:     192.168.0.0/16

Remote VPN Clients:   192.168.0.100-192.168.0.254

Remote (L2L) Network: 10.10.10.0/26


Remote VPN Clients are able to access the internal network without issue, but are unable to access the remote 10.10.10.0 network. Is there a way to debug this? `packet-tracer` show no issues..

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Can't access site-to-site VPN from remote VPN

Hi Ben,

Please create a no-nat on the outside interface, because your remote-vpn clients and remote-L2L tunnels are located on outside the interface (i.e. coming off the outside).  You have to treate your outside network same as your inside network, as you would create a no-nat for your inside networks.

The ACL you create for no-nat outside must be for both directions as below.

access-list outside_nat0 extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.192

access-list outside_nat0 extended permit ip 10.10.10.0 255.255.255.192 192.168.0.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

same-security-traffic permit intra-interface

Pls let me know, if that helps.

Thanks

Rizwan Rafeek

3 REPLIES
Cisco Employee

Can't access site-to-site VPN from remote VPN

Is this on an ASA or a router? 

At a minimum, you would need the following:

1)  If using split tunneling - the 10.10.10.0/26 network needs to be put in the split tunnel ACL so the clients get a route to the 10.10.10.0/26 network.

2)  make sure 192.168.0.100-0.254 are allowed across the L2L tunnel (assuming you are not allowing the 192.168.0.0/16 across the tunnel and are only allowing specific networks)

3)  If this is an ASA, make sure you have the 'same-security-traffic permit intra-interface' to allow traffic to go in and out the same interface - assuming your remote access clients and L2L tunnel are terminating on the same interface

4)  Make sure there are no NAT issues with traffic going from the VPN clients to the 10.10.10.0/26 network

5)   Check any access-control lists.

Re: Can't access site-to-site VPN from remote VPN

Hi Ben,

Please create a no-nat on the outside interface, because your remote-vpn clients and remote-L2L tunnels are located on outside the interface (i.e. coming off the outside).  You have to treate your outside network same as your inside network, as you would create a no-nat for your inside networks.

The ACL you create for no-nat outside must be for both directions as below.

access-list outside_nat0 extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.192

access-list outside_nat0 extended permit ip 10.10.10.0 255.255.255.192 192.168.0.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

same-security-traffic permit intra-interface

Pls let me know, if that helps.

Thanks

Rizwan Rafeek

New Member

Re: Can't access site-to-site VPN from remote VPN

HI Rizwan,

That's basically exactly what I needed:

671
Views
0
Helpful
3
Replies