how to authorise the subnet mask

hi guys,

i have ASA in head office and ASA 5505 in shop as well, what is happening here is when i do VPN to headoffice through cisco client , i cant access the server in SHOP directly i have to go through an other server in head office and then conect to the server in shop

how can i fix it aur authorise ip rane so that i can directly access the server through RDP in shop
when i connect to vpn i get a ip address like

how can i fix it please help with the command
Who is Participating?
batry_boyConnect With a Mentor Commented:
Yes, you will need to allow all (meaning from any source IP on the Internet) UDP 500 and UDP 4500 port traffic inbound through the head office ASA to the shop ASA, and then configure the shop ASA to accept remote access VPN connections such as you have already done on the head office ASA.  Then you should be able to get to the server behind the shop ASA once you have a VPN connection to the shop ASA.

Here are the commands to allow this traffic through the head office ASA:

access-list outside_access_in permit udp any host x.x.x.x eq isakmp
access-list outside_access_in permit udp any host x.x.x.x eq 4500
access-group outside_access_in in interface outside

where x.x.x.x = IP address of outside interface on the shop ASA

It sounds like you have the following setup to get to the shop server:

vpn client ---------- Head Office ASA ----------- Shop ASA --------- server

Is this correct?

If so, then you will need to make sure that the Shop ASA is allowing 172.16.x.x addresses inbound to that server.  It would help if you posted both firewall configs and then I can give you exact commands to put in.
ammartahir1978Author Commented:
thats correct batry.

yes this is what hapening : right now but i want to access it directly to the shop server, can i create a vpn connect for shop asa and access it or can you tell me the commend i dotn feel comfitable post the ASA setting here .

can you help beside that
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

ammartahir1978Author Commented:
thank you Batry,

how can i allow all the trafic,
 can you please give commands for both ?

for head office and for shop side as well thank you

easiest way to fix this is to drop:

sysopt connection permit-vpn (this will allow acl and nat bypass for ipsec/ vpn traffic)

let me know how it goes.
that will be for both head office and shop ASAs..
ammartahir1978Author Commented:
Hi Guys,

I have a vpn connection from the SHOP ASA to HEaD office ASA all the time, it only when i am trying to access the SHOP server it doesnt connect.

the reson is when i connect my VPN from home i get
the following IP : where my head office ip is

all i need is when users connect there VPN client they should be able to access the server in the shop without connecting to a sevrer in Headoffice and then connect to the server in notting hill.

Ammar Tahir

ammartahir1978Author Commented:
here is the screen shot of route
ammartahir1978Author Commented:
what is the command for allowing access-list for 172.16.55.X on shop ASA inbound
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.