Cisco Support Community
Community Member

Cisco ASA5505 VPN remote-access user cannot connect to other site-to-site subnet

Hi, I am connecting to a ASA5505 at from home to the head-office using L2TP VPN.

Head-office then has a connection to other-office via a site-to-site IPSEC tunnel.

When in the head-office ( I can ping/access remote-office ( OK.

When connected remotely to head-office, I can ping/access head-office OK from the road-warrior laptop.

My problem is that when connected remotely from home to the head-office I cannot ping/access the other-office subnet.

On the home laptop the L2TP VPN connection is set to route all traffic to the VPN connection using the HQ as the internet gateway I can confirm this works.

I cant do traceroute (I get timeouts) as my policy doesnt allow and not sure how to enable this properly on the ASA.

Any ideas what is wrong?

Thanks in advance, config is below:

name othersite
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip othersite
access-list inside_nat0_outbound extended permit ip any
access-list outside_1_cryptomap extended permit ip othersite
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit
access-list outside_in_acl extended permit icmp any any echo-reply
access-list outside_in_acl extended permit tcp any interface outside eq smtp
ip local pool VPNLAN mask
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (outside) 1
static (inside,outside) tcp interface smtp smtp netmask
access-group outside_in_acl in interface outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNLAN
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
Everyone's tags (3)

Cisco ASA5505 VPN remote-access user cannot connect to other sit


To accomplish this please make the following changes:

1- Add a NONAT entry to on the outside interface to avoid the NAT translation (nat (outside) 1, this NAT will include an access-list permitting traffic from the VPN pool to the remote LAN-to-LAN network.

2- Add the remote network to the VPN Split-ACL.

Please check this out:

access-list nonat_outside permit ip remote_network netmask

nat (outside) 0 access-list nonat_outside


access-list DefaultRAGroup_splitTunnelAcl_1 standard permit remote_network netmask

Let me know

* Please rate any post that you find helpful.

CreatePlease to create content