Here’s the set up – Client VPN connections from remote employees (at home let’s say) make a VPN connection to Firewall “A”. That same firewall has an IPSec connection to another Firewall, “B”, which is a remote office. Why can’t I get traffic to pass from the Client VPN to Firewall “B”?

Config changes on Firewall “A”:

  • Added the split-tunneling details for the Client VPN, so that the tunnel identifies the subnet for Firewall “B” as interesting traffic.
  • Modified the crypto-map for the tunnel between Firewall “A” and “B” to protect traffic from the Client VPN subnet to the Firewall “B” subnet.
  • Added a NoNAT statement for traffic from the Client VPN subnet to the Firewall “B” subnet.
  • Standard ACL for the “inside” interface is already set as “allow ip any any”.

Config changes on Firewall “B”:

  • Modified the crypto-map for the tunnel between Firewall “B” and “A” to protect traffic from the Firewall “B” private subnet to the Client VPN subnet.
  • Added a NoNAT statement for traffic from the Firewall “B” subnet to the Client VPN subnet.
  • Standard ACL for the “inside” interface modified to “allow ip any any” for traffic from the Firewall “B” subnet to the Client VPN subnet.

I’m obviously missing something, somewhere. I’m thinking it has to do with the crypto or interface ACL’s. When I find the answer, I’ll post the follow-up.


Be Sociable, Share!