Route multiple subnets over Cisco ASA 5505 VPN

I've seen questions that have touched on this, but I'm still a little confused. So I'm hoping you can help. :-)

We have two physical locations, both of which are connected using a Cisco ASA 5505 VPN on each side. Works great. On one side we also have a remote-access VPN for a few remote users. These users can access resources on one side of the site-to-site VPN (the side they connect to), but not the other.

Here is what we have:

siteA <- Site2Site VPN --> siteB
                                                                       <-- RA VPN --> remote users

So users connect to the Cisco ASA 5505 on the siteB side and can access all resources in However, they can't access anything on It seems to be a routing issue from what I can tell, but I can't find a way to get routing of a second subnet to work over the site-to-site VPN other than the initial subnets you setup in the VPN config.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kerem ERSOYPresidentCommented:
You need  to::
- add a static routing to RA VPN box so that it will direct traffic to the site2siteVPN box.
- add a static routing to site2site VPN box so that all traffic is directed to RA-VPN box.
- If site2Site box is not the default gateway for SiteA hosts you need to add a static route to direct all  traffic to Site2Site side interface.

As you will notice these are all static routings so you won't need to configure it over the VPN. Just aadd it to the configuration of VPN boxes.

You'd be better off using reverse route injection on your crypto map configurations so the ASA's can handle inter-site routing. Eg:
crypto dynamic-map Outside_dyn_map 20 set reverse-route

On your ASA which handles the remote access VPN terminate, send it a default to be the ASA's IP address so it can handle routing:
route <Interface name> <next-hop IP> tunneled

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.