rvosinsurance
asked on
How to route between VPNs on Cisco ASAs
We have two ASAs with private networks on either side. These two ASAs have an IPSec site-to-site tunnel between them. The primary ASA at the main office has a bunch of AnyConnect clients. These clients can talk to each other and other systems in the office as expected, but are unable to communicate with any of the systems in the remote office's subnet.
Is there a way to enable the systems in the remote subnet to talk to the AnyConnect clients?
192.168.12.0/24 (VPN Client subnet) -> 192.168.0.0/22 (Main office) -(site-to-site IPSec tunnel)> 192.168.100.0/22 (Remote office)
Is there a way to enable the systems in the remote subnet to talk to the AnyConnect clients?
192.168.12.0/24 (VPN Client subnet) -> 192.168.0.0/22 (Main office) -(site-to-site IPSec tunnel)> 192.168.100.0/22 (Remote office)
in addition you have to make sure the traffic is exempted from nat translation (nat0)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After doing #1 and #5 in Donboo's comment, the networks can sorta talk to each other. I can connect to web services in the remote network, but I cannot ping anything in that network. I've used the Packet tracer to no avail -- they say the packet is allowed.
Donboo, do you know how to do this in ASDM?
Donboo, do you know how to do this in ASDM?
ASKER
Moderator, Donboo answered the majority of my question. You can reward him the points.
Please object (this will stop my recommended action), and then assign points yourself.
ASKER
Objecting to award points.
ASKER
Would have liked to have the second part of this question answered, but it did get me going.
Hi rvos.
I am on vacation at the moment so
I am on vacation at the moment so
Hi rvos.
I am on vacation at the moment so my posting is sporadic.
Your anyconnect clients can reach the remote network but not ping it correct?
I am on vacation at the moment so my posting is sporadic.
Your anyconnect clients can reach the remote network but not ping it correct?
ASKER
Correct.
Have you any access-lists on the inside interface on the remote ASA that drops ICMP?
Do you have any outgoing access-lists on any of the ASAs that block ICMP? (only applicable if you arn´t using VPN bypass)
Do you have VPN filtering on the anyconnect clients?
Also does the security service policy inspect ICMP?
Configuration->firewall->S
Do you have any outgoing access-lists on any of the ASAs that block ICMP? (only applicable if you arn´t using VPN bypass)
Do you have VPN filtering on the anyconnect clients?
Also does the security service policy inspect ICMP?
Configuration->firewall->S
then you will create the following rules:
conf t
access-list outside-in permit ip 192.168.12.0 255.255.255.0 192.168.100.0 255.255.252.0
access-group outside-in in interface outside
and also you need to set:
same-security-traffic permit intra-interface