I have two offices connected by site-to-site IPSec VPN. The main office also permits remote access VPN connection. Everything works fine except for one thing. I want my remote access users to be able to access hosts in the branch office through their link to the main office. Any thoughts on what I need to change to make this work?

Setting "debug ip packet 2400" and having access-list 2400 capture all source and destination packets from the VPN address pool, I see packets from a remote access VPN host when that host tries to connect to the router directly, but see nothing when the VPN host attempts to connect to a host in the other office.

So let me get this right first.

Users from home go to site A, when in site A you wish them to go to Site B via the the VPN from site A to Site B?

Depends on the way this is set up mate. How do the users at home get into the lAN what kinda VPN?
The way i am seeing this now is.
Say a user at home come in and get a LAN IP of 10.1.1.1, from the pool on the VPN fr home users. Your site to site VPN is using 192.168.1.0/24 at site A and 192.168.2.0/24, the home user would not be allow to across the VPN from site A to B as the "interesting range" does not include the 10.x.x.x range and will get dropped.

Pop some more info up mate if you can.

Sorry for the delayed response. Exactly right BE. Remote clients connect fine to site A, but can't communicate with hosts at site B through the site-to-site. The site-to-site itself works fine. I just can't get the packets to around and go back through the other tunnel.

Here's a partial config:

crypto isakmp policy 100
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 200
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key AINTMYKEY address 70.26.12.22 no-xauth
crypto isakmp keepalive 30 5
!
crypto isakmp client configuration group RAVPN
key Thisisntmyk3y
dns 192.168.1.5 192.168.1.11
wins 192.168.1.11
domain corp.destineerstudios.com
pool vpnpool
acl SPLIT_TUNNEL2
max-users 15
max-logins 2
netmask 255.255.252.0
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set S2S-Set esp-aes 256 esp-sha-hmac
!
crypto dynamic-map MYDYNMAP 1
set transform-set ESP-3DES-MD5
reverse-route
!
!
crypto map STAT_CMAP client authentication list local_authen
crypto map STAT_CMAP isakmp authorization list group_author
crypto map STAT_CMAP client configuration address respond
crypto map STAT_CMAP 50 ipsec-isakmp
set peer 70.26.12.22
set security-association lifetime seconds 86400
set transform-set S2S-Set
match address S2S_ACL
crypto map STAT_CMAP 100 ipsec-isakmp dynamic MYDYNMAP
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.252.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
no cdp enable
service-policy input MYPOLICEPOLICY
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1
description $OutsideInterfaceFastEthernet0/1$$ETH-WAN$
ip address 7.25.17.237 255.255.255.240
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip tcp adjust-mss 1272
load-interval 30
duplex auto
speed auto
fair-queue
no mop enabled
crypto map STAT_CMAP
!
ip local pool vpnpool 192.168.12.1 192.168.12.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 7.25.17.238
!
ip nat inside source route-map ptmnat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.7 2112 7.25.17.232 2112 route-map ptmnat extendable
!
!
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW ssh
ip inspect name SDM_LOW ntp
ip inspect name SDM_LOW ftps
!
!
ip access-list extended S2S_ACL
permit ip any 192.168.8.0 0.0.0.255
permit ip any 10.1.1.0 0.0.0.255
ip access-list extended SPLIT_TUNNEL2
permit ip 192.168.0.0 0.0.3.255 any
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any

access-list 101 permit tcp 192.168.0.0 0.0.3.255 host 7.25.17.238 eq 7800
access-list 101 permit ip any 192.168.8.0 0.0.0.255
access-list 101 permit ip any 192.168.12.0 0.0.0.255
access-list 101 permit tcp any host 1.2.3.4 range ftp-data pop3
access-list 101 permit tcp 192.168.0.0 0.0.3.255 host 208.70.134.11
access-list 101 permit tcp any host 28.7.131.61 eq smtp
access-list 101 permit tcp any host 28.7.131.61 eq 2500
access-list 101 permit tcp 192.168.0.0 0.0.3.255 host 208.70.134.10
access-list 101 permit tcp any host 208.70.128.213 eq smtp
access-list 101 permit ip 192.168.0.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 101 permit tcp any host 66.33.209.154 eq 6781
access-list 101 permit tcp host 192.168.1.165 any
access-list 101 permit tcp any host 15.17.235 eq smtp
access-list 101 permit tcp any host 15.17.173.235 eq pop3
access-list 101 deny ip any any
access-list 101 permit tcp any host 131.131.131.50 eq smtp
access-list 103 permit udp host 7.25.17.238 eq ntp host 7.25.17.237 eq ntp
access-list 103 permit udp any host 7.25.17.237 eq non500-isakmp
access-list 103 permit udp any host 7.25.17.237 eq isakmp
access-list 103 permit ip 192.168.12.0 0.0.0.15 any
access-list 103 permit esp any host 7.25.17.237
access-list 103 permit ahp any host 7.25.17.237
access-list 103 deny ip 192.168.4.0 0.0.0.255 any
access-list 103 deny ip 192.168.0.0 0.0.3.255 any
access-list 103 deny ip 10.0.0.0 0.0.0.255 any
access-list 103 permit udp host 128.101.101.101 eq ntp host 7.25.17.237 eq ntp
access-list 103 permit icmp any host 7.25.17.237 echo-reply
access-list 103 permit icmp any host 7.25.17.237 time-exceeded
access-list 103 permit icmp any host 7.25.17.237 unreachable
access-list 103 permit tcp any host 7.25.17.232 eq 2112
access-list 103 deny ip any any log
access-list 199 deny ip 192.168.0.0 0.0.3.255 192.168.8.0 0.0.0.255
access-list 199 deny ip 192.168.0.0 0.0.3.255 10.1.1.0 0.0.0.255
access-list 199 deny ip 192.168.12.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 199 deny ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 199 deny ip 10.0.0.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.12.0 0.0.0.255
access-list 199 deny ip 10.0.0.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 199 permit ip 192.168.0.0 0.0.3.255 any
access-list 199 permit ip 192.168.12.0 0.0.0.255 any
access-list 199 permit ip 10.0.0.0 0.0.0.255 any

route-map ptmnat permit 10
match ip address 199
!
!
!
end

I think you will have to allow the IPPool you have given the remote users (192.168.12.1 - 15) to the statement below.


ip access-list extended S2S_ACL
permit ip any 192.168.8.0 0.0.0.255
permit ip any 10.1.1.0 0.0.0.255

Thanks BE. Already tried that. No dice.

Odd, what does a debug show you, where the packets are being dropped?

The NAT deny ACL increments with each packet sent.

debug ip routing <acl> shows packets sent from remote VPN client "routed via RIB"

debug ip packet <acl> shows nothing. There should be a "sent" message.

I think this has to do with something like the "same-security-traffic permit intra-interface" command that you have to include on an ASA to allow the traffic to hairpin back into the interface that it just came out. Found an interesting article for IOS on getting this to work. I'll try it and post findings.

Here's the article if anyone's interested:

http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

Sound like something i did a while back..

http://bigevilsciscoworld.wordpress.com/2010/01/23/tcp-state-bypass/

OK. It was probably an ACL that I cleaned up a few days ago. I got rid of some unnecessary static routes that I had put in after I got frustrated, and everything works. Basically, on router A, I had:

ip route <site B address> 255.255.255.0 fa 0/1

And on site B's router, I had:

ip route <VPN addr pool> 255.255.255.0 fa 0/1

The minute these were gone, everything worked. Pass the CR, please!

Thanks for your help, Evil. The TCP state bypass article was interesting anyway!

Well done GH.