We had to completely reinstall our Cisco ASA5505 which is the router connecting all our branch sites. All the sites are connecting fine but I'm having headaches trying to figure out why the remote users cannot reach my site-to-site subnets. It was working before so I know the problem is on this router.
Any help would be greatly appreciated!
Our main site network is 192.168.1.0/24 Site-to-Site Networks are 192.168.2.0/24 & 192.168.3.0/24 & 192.168.4.0/24 Remote VPN network is 192.168.140.0/24
Do I understand you right that you want that your Users in 192.168.140.0 can communicate with the spoke networks 192.168.2.0, 3.0 and 4.0?
Then you need to extend your config with the following:
You have to allow the ASA to send traffic out of the same interface where the traffic arrived. That is needed because the Remote-VPN-traffic enters the ASA on the outside interfae and the S2S VPNs are also terminated on the outside interface:
same-security-traffic permit intra-interface
Then, the crypto-definition to the spokes have to include the traffic from the remote-VPN:
access-list outside_1_cryptomap extended permit ip 192.168.140.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.140.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_3_cryptomap extended permit ip 192.168.140.0 255.255.255.0 192.168.3.0 255.255.255.0
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...