Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4195
Views
0
Helpful
4
Replies

Cisco ASA 5505 remote VPN access to local network

Go to solution
ciunetworks
Level 1
Level 1

‎09-12-2010 05:47 PM

I have Two ASA  5505's setup in a site to site VPN which works perfectly.  Now I also  need to have remote client VPN access with the Cisco VPN dialer to the  1st site.  I can get the VPN dialer to connect the the VPN and get a VPN  IP address, but I have no access to the remote network.  can someone  take a look and see what I am missing?  I have attached the ASA running  config.

Labels:
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ciunetworks

‎09-13-2010 05:27 AM

Apologize for the misunderstanding.

To access the 10.10.100.x subnet from remote vpn client, the vpn-filter ACL is the other way round.

Please kindly swap the following ACL:

FROM:

access-list outside_cryptomapVPN extended permit ip any 10.10.20.0 255.255.255.224

TO:

access-list outside_cryptomapVPN extended permit ip 10.10.20.0 255.255.255.224 any

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-12-2010 06:00 PM

The configuration hasn't included VPN access from remote VPN client towards the remote network via the site-to-site VPN.

There are a few things that need to be added/modified to this ASA as follows:

Add the following:

access-list outside_20_cryptomap extended permit ip 10.10.20.0 255.255.255.0 192.168.100.0 255.255.255.0

same-security-traffic permit intra-interface

access-list DSILREMOTE_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

Modify the following:

no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 1000 ipsec-isakmp dynamic outside_dyn_map

VPN Client dynamic crypto map can't be on the lowest sequence number hence updating it from seq# of 10 to 1000.

On the remote ASA, you would need to also add the following:

1) Mirror image crypto ACL on the site-to-site VPN to include the above:

permit ip 192.168.100.0 255.255.255.0 10.10.20.0 255.255.255.0

2) NAT exemption ACL to include the following:

permit ip 192.168.100.0 255.255.255.0 10.10.20.0 255.255.255.0

Hope that helps.

0 Helpful

Go to solution
ciunetworks
Level 1
Level 1
In response to Jennifer Halim

‎09-12-2010 07:00 PM

Thanks for the reply.

I changed the Seq # on the dynamic map to 1000 and that has not seemed to do anything for me.

As for the 192.168.100.0 network, I do not need the remote VPN dialer users to get to that Network.


I have two sites:

Site 1 : 10.10.100.x

Site 2: 192.168.100. x

remote VPN users using the VPN Dialer need access to Site 1.

Right now, the Site to Site VPN between Site 1 and Site 2 works perfectly,  the VPN Client will connect, but I cannot see Site 1 LAN devices, such as the server which is 10.10.100.25.

Any other suggestions?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ciunetworks

‎09-13-2010 05:27 AM

Apologize for the misunderstanding.

To access the 10.10.100.x subnet from remote vpn client, the vpn-filter ACL is the other way round.

Please kindly swap the following ACL:

FROM:

access-list outside_cryptomapVPN extended permit ip any 10.10.20.0 255.255.255.224

TO:

access-list outside_cryptomapVPN extended permit ip 10.10.20.0 255.255.255.224 any

Hope that helps.

0 Helpful

Go to solution
ciunetworks
Level 1
Level 1
In response to Jennifer Halim

‎09-13-2010 09:46 AM

Perfect....  Thanks so much!

0 Helpful
Customers Also Viewed These Support Documents