[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 403
  • Last Modified:

Route traffic from Client VPN to a subnet accross a site to site VPN tunnel

I have 2 sites, Site1 has an ASA 5505 (10.0.0.0) and Site2 (192.168.2.0) has a Pix 506E. I have routing setup between the sites and that is working. I VPN into Site1 but cannot access Site2 network. I know i heed route statements on both networks to advertise the VPN subnet 172.16.1.0. I am just not sure where to add these.
0
ccrockett1027
Asked:
ccrockett1027
  • 7
  • 5
1 Solution
 
techzterCommented:
Do the VPN client and the VPN tunnel both use the same network interface?
0
 
techzterCommented:
So in our case all of our internal networks are 192.168.x.x. We created the route statements to send everything except traffic destined for those networks out to the port out internet connection is on.

0.0.0.0 0.0.0.0 10.200.1.65 - Internet Connection
192.168.4.0 255.255.252.0 10.200.1.6 - Site2
192.168.16.0 255.255.252.0 10.200.1.6 - Site2
192.168.20.0 255.255.254.0 10.200.1.6 - Site2
192.168.24.0 255.255.254.0 10.200.1.6 - Site2
192.168.26.0 255.255.254.0 10.200.1.6 - Site2
192.168.28.0 255.255.252.0 10.200.1.6 - Site2
192.168.48.0 255.255.255.0 10.200.1.6 - Site2
0
 
techzterCommented:
Sorry disregard my last post. It was meant for another thread.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
ccrockett1027Author Commented:
Yes, Both Terminate on the ASA 5505.
0
 
techzterCommented:
Within the same interface on the ASA 5505, or are they on separate interfaces?
0
 
ccrockett1027Author Commented:
They both terminate and the same IP address so i assume that they are on the same interface?
0
 
techzterCommented:
I had a difficult time getting a similar situation to work using a Pix 515. I'm not sure if it improved in the ASA devices. I ended up having to place a call into Cisco TAC to troubleshoot the issue. I will try and dig in my notes to see if I can find what we did to make it work. Hopefully someone else that has had some experience with this may weigh in as well.
0
 
ccrockett1027Author Commented:
I had someone suggest that to run this command:
same-security-traffic permit inter-interface
I did and still no access to the remote subnet.
0
 
techzterCommented:
That is along the lines of what I remember doing. We also had to manually adjust the security levels of the ACL so that they weren't the same. I am having trouble finding the notes as to what we had done.
0
 
ccrockett1027Author Commented:
Had to Call Cisco
0
 
techzterCommented:
Do you mind sharing the fix?
0
 
ccrockett1027Author Commented:
Sorry, I dont have the fix. I had a 3rd party vendor call Cisco on figure it out. He did not ask the Cisco tech what he did to fix it. I have some idea, i will give you what was added in the configs after. There may be more but this is what i have.

Local Additions (ASA 5505)
access-list 113 extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.
255.0 inactive
(i am not sure where this access list 113 is applied to?)

Remote Additions (PIX 515)
access-list 110 permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
(nat (inside) 0 access-list 110)
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now