Cisco ASA 5505 VPN Client access across VPN Tunnel

I have 2 Cisco ASA 5505's that communicate through a VPN. I have a Cisco Client setup on "Site A" which communicates with the local LAN fine, but when I try to access a machine across the VPN tunnel located in "Site B" while connected to the VPN client I am unable to do so. To be clear, I am at home and connect the Cisco VPN client on my laptop, I can then access the local LAN of the ASA where the client is configured but I cannot access the LAN across the VPN.

Here is my config:

Site A:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.57.1.1 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.57.1.0 255.255.255.0 10.57.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.57.1.0 255.255.255.0 10.57.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.57.10.0 255.255.255.0 10.57.2.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.57.1.0 255.255.255.0 10.57.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.57.10.0 255.255.255.0 10.57.2.0 255.255.255.0

access-list RemoteVPN_splitTunnelAcl standard permit 10.57.1.0 255.255.255.0
access-list RemoteVPN_splitTunnelAcl standard permit 10.57.2.0 255.255.255.0

ip local pool RemotePool 10.57.10.100-10.57.10.150 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ESP-AES-128-SHA

group-policy RemoteVPN internal
group-policy RemoteVPN attributes
 dns-server value 10.57.1.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteVPN_splitTunnelAcl
 default-domain value XXXXXX

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *****

tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
 address-pool RemotePool
 default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
 pre-shared-key *





Site B:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.57.2.1 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.57.2.0 255.255.255.0 10.57.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.57.2.0 255.255.255.0 10.57.10.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.57.2.0 255.255.255.0 10.57.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.57.2.0 255.255.255.0 10.57.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ESP-AES-128-SHA

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *****
Matthew GalianoCTOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArneLoviusCommented:
the above config fragments look as if they should be okay, so I would check elsewhere in the config.

Do you have an ACL configured on the remote access VPN ?

Do you have any deny ACL rules that could be conflicting ?
0
Matthew GalianoCTOAuthor Commented:
Do you have an ACL configured on the remote access VPN ?

Not sure what you mean, I have posted all of my ACLs.

Do you have any deny ACL rules that could be conflicting ?

The only deny I have is for SMTP.
0
Matthew GalianoCTOAuthor Commented:
Thought maybe it had to do with the encryption across the tunnel but still no good.

Any other ideas?
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Ron MalmsteadInformation Services ManagerCommented:
You can route a VPN client from one router to the other.. Using one client vpn connection.  Or you could just have two client connections, one to each site.  The second is the easiest.
0
Matthew GalianoCTOAuthor Commented:
I am looking to get it done the 1st way, I connect to the client and can access the LAN on site 1 but cannot access the LAN on site 2 across the VPN tunnel.
0
Pete LongTechnical ConsultantCommented:
You need to set up 'Spoke to spoke'

Cisco Firewall VPN "Hair Pinning"

Pete
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Matthew GalianoCTOAuthor Commented:
Awesome.

Believe it or not this is all I was missing.

same-security-traffic permit intra-interface

Thanks.
0
Pete LongTechnical ConsultantCommented:
No Bother, Glad I could help

PL
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.