how to authorise the subnet mask

hi guys,

i have ASA in head office and ASA 5505 in shop as well, what is happening here is when i do VPN to headoffice through cisco client , i cant access the server in SHOP directly i have to go through an other server in head office and then conect to the server in shop

how can i fix it aur authorise ip rane so that i can directly access the server through RDP in shop
when i connect to vpn i get a ip address like

how can i fix it please help with the command
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It sounds like you have the following setup to get to the shop server:

vpn client ---------- Head Office ASA ----------- Shop ASA --------- server

Is this correct?

If so, then you will need to make sure that the Shop ASA is allowing 172.16.x.x addresses inbound to that server.  It would help if you posted both firewall configs and then I can give you exact commands to put in.
ammartahir1978Author Commented:
thats correct batry.

yes this is what hapening : right now but i want to access it directly to the shop server, can i create a vpn connect for shop asa and access it or can you tell me the commend i dotn feel comfitable post the ASA setting here .

can you help beside that
Yes, you will need to allow all (meaning from any source IP on the Internet) UDP 500 and UDP 4500 port traffic inbound through the head office ASA to the shop ASA, and then configure the shop ASA to accept remote access VPN connections such as you have already done on the head office ASA.  Then you should be able to get to the server behind the shop ASA once you have a VPN connection to the shop ASA.

Here are the commands to allow this traffic through the head office ASA:

access-list outside_access_in permit udp any host x.x.x.x eq isakmp
access-list outside_access_in permit udp any host x.x.x.x eq 4500
access-group outside_access_in in interface outside

where x.x.x.x = IP address of outside interface on the shop ASA


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

ammartahir1978Author Commented:
thank you Batry,

how can i allow all the trafic,
 can you please give commands for both ?

for head office and for shop side as well thank you

easiest way to fix this is to drop:

sysopt connection permit-vpn (this will allow acl and nat bypass for ipsec/ vpn traffic)

let me know how it goes.
that will be for both head office and shop ASAs..
ammartahir1978Author Commented:
Hi Guys,

I have a vpn connection from the SHOP ASA to HEaD office ASA all the time, it only when i am trying to access the SHOP server it doesnt connect.

the reson is when i connect my VPN from home i get
the following IP : where my head office ip is

all i need is when users connect there VPN client they should be able to access the server in the shop without connecting to a sevrer in Headoffice and then connect to the server in notting hill.

Ammar Tahir

ammartahir1978Author Commented:
here is the screen shot of route
ammartahir1978Author Commented:
what is the command for allowing access-list for 172.16.55.X on shop ASA inbound
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.