Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CISCO VPN CLIENT BEHIND A SITE-TO-SITE VPN ROUTER

Hi:

I need to allow a VPN CLIENT connected to a LAN behind a site-to-site vpn router to go out and connect to a different VPN server.

The issue is that the Router (configured for vpn site-to-site) intercepts the incomming IPSec messages from the other VPN server and the VPN client cannot connect.

How could I try to solve it?

Thanks a lot

Julio

Everyone's tags (5)
7 REPLIES
Cisco Employee

CISCO VPN CLIENT BEHIND A SITE-TO-SITE VPN ROUTER

HI,

Could you please try to explain with the help of a network diagram?

Thanks

Jeet Kumar

Community Member

CISCO VPN CLIENT BEHIND A SITE-TO-SITE VPN ROUTER

Yes, thank you for your response.

Here is the layout. There is a site-to-site VPN established and working fine between Site A and Site B.

It is necessary to access a third party network in site C by using a Cisco VPN Client, which is connected to LAN in site A, behind the gateway- router, as indicated.

VPN Client PC sends the initial request to router in Site C, but the response is intercepted by router in Site A, and it never reaches the Client VPN. I assume that the router tries to look for a SA, but as it doesn´t find any, discards the packet. How can I configure the router to permit this packet to go through the router (NAT) and to reach the internal PC?

Thanks again.

VIP Purple

Re: CISCO VPN CLIENT BEHIND A SITE-TO-SITE VPN ROUTER

You need to use a different IP for your user-sessions then you use for your L2L-sessions. If you don't have multiple IPs you have to change the VPN-technologie. For the client-connection that could be Anyconnect-SSL or for example IPSec over TCP if you have to use the legacy VPN-client.


Sent from Cisco Technical Support iPad App

Community Member

CISCO VPN CLIENT BEHIND A SITE-TO-SITE VPN ROUTER

Thank you for your answer.

If you are so kind I´ll need some futher reference to some links explaining the alternatives: for instance, I cannot figure how two different IP addresses could help. May be I guess somewhat about running IPSec over TCP, and I am looking if we could make the Site C organization is able to configure this way for us.

Thanks a lot and I´ll appreciate further references.

Cheers

Julio

Community Member

CISCO VPN CLIENT BEHIND A SITE-TO-SITE VPN ROUTER

...

Thanks a lot and I´ll appreciate further references.

Cheers

Julio

Community Member

CISCO VPN CLIENT BEHIND A SITE-TO-SITE VPN ROUTER

Hi Jeet:

I already posted the diagram. Any input? I´ll appreciate it

This forum doesn´t seem to be a meteoric, up and doing forum ...

Sorry.

Community Member

CISCO VPN CLIENT BEHIND A SITE-TO-SITE VPN ROUTER

A bit late to the party, but if you haven't resolved your issue, the problem is most likely your NAT.  If you're overloading all outbound traffic to the same IP address that your site-to-site traffic is built to, then your router is going to think that the IPSEC traffic is coming to it, not to your inside client.  You will need to NAT your traffic to a different IP address.  I would give the client machine a different static NAT to get around this - or change your overload NAT so that it's a different IP than your VPN.

Example.  If all your site A traffic is using 1.1.1.1 and your VPN tunnels are also built to 1.1.1.1, then change one of them to 1.1.1.2, or give your one workstation a static NAT of 1.1.1.2 so that the router can differentiate.

3868
Views
0
Helpful
7
Replies
CreatePlease to create content