Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing a Site-site VPN to Remote VPN users

Hi ,

   We have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3  ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between  remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.

                   Is there any solution to make this thing live.

Shankar.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Routing a Site-site VPN to Remote VPN users

There are a few things that need to be added for this to work:

1) On the ASA where remote vpn users are connecting to, you would need to add "same-security-traffic permit intra-interface"

2) You mention that you have added the remote site-to-site LAN in the split tunnel list, so that is good.

3) On the ASA that terminates the remote access vpn, you also need to add the following:

- Crypto ACL for the site-to-site VPN needs to include the following:

access-list permit ip

4) On the remote site-to-site ASA, you would need to add:

- Crypto ACL for the site-to-site VPN needs to include the following:

access-list permit ip

- No-Nat: access-list permit ip

New Member

Routing a Site-site VPN to Remote VPN users

Hi Jennifer and Arun,

  At last after fullisade of trail and error i got the icmp respose from remote vpn to the distant end of site-site vpn.All the four steps by jennifer  did well, but the missing part is the issurance of the command

same-security-traffic permit intra-interface.

https://supportforums.cisco.com/thread/2030063  thread helped me to find this our.

Thanks and Regards

Shankar

7 REPLIES
Cisco Employee

Routing a Site-site VPN to Remote VPN users

There are a few things that need to be added for this to work:

1) On the ASA where remote vpn users are connecting to, you would need to add "same-security-traffic permit intra-interface"

2) You mention that you have added the remote site-to-site LAN in the split tunnel list, so that is good.

3) On the ASA that terminates the remote access vpn, you also need to add the following:

- Crypto ACL for the site-to-site VPN needs to include the following:

access-list permit ip

4) On the remote site-to-site ASA, you would need to add:

- Crypto ACL for the site-to-site VPN needs to include the following:

access-list permit ip

- No-Nat: access-list permit ip

New Member

Routing a Site-site VPN to Remote VPN users

Let us know if you would like to see an example config. Currently traveling, but could in the next few days edit and post our config to give you an example to work off of. I believe it was Jennifer here who in fact helped when I had the very same problem. Seems confusing at first, but once everything is in place it all comes together to make sense.

New Member

Routing a Site-site VPN to Remote VPN users

Hi Jennifer,

   I tried the four steps which you mentioned, but again i failed.Did you got this working in ASA .

New Member

Routing a Site-site VPN to Remote VPN users

Hi Shankar,

This seems like a clear case of hairpinning to me. The only thing missing seems to be the "distant end of the site" reverse route towards the remote vpn users at this end.

Hope NAT is  not involved, else it gets a little bit more trickier.

HTH

Cheers

Arun

New Member

Routing a Site-site VPN to Remote VPN users

Hi Jennifer and Arun,

  At last after fullisade of trail and error i got the icmp respose from remote vpn to the distant end of site-site vpn.All the four steps by jennifer  did well, but the missing part is the issurance of the command

same-security-traffic permit intra-interface.

https://supportforums.cisco.com/thread/2030063  thread helped me to find this our.

Thanks and Regards

Shankar

New Member

Routing a Site-site VPN to Remote VPN users

Oops, I missed that point Shankar.

Routing a Site-site VPN to Remote VPN users

Shankar,

If you read Jennnifer's post carefully, her first point was about same-security-traffic permit intra-interface

HTH

Kishore

.

598
Views
12
Helpful
7
Replies