site-to-site vpn question

ASA 5501 and 5505 configured successfully for site-to-site VPN.
Clients on both ends can access each other just fine. The only
problem is accessing clients on the opposite LAN from the firewall
devices themselves. Among other reasons, I need this to upload the
config to a TFTP server using "write net". However, I can't ping any
machines on the other side from the firewall itself. Similarly, I
can't ping the internal IP of the firewalls from the opposite LAN.
Reply to
Loading thread data ...
The source IP for such transactions are the -outside- IP address on the ASA (or rather the IP of the interface closest to the other end.) Your VPNs are probably based upon -inside- IP addresses.
It is legal (and works well) to include the outside IP in the ACL that defines the VPN. For example (PIX 6 syntax)
access-list vpn2ax permit ip access-list vpn2ax permit ip interface outside
For the ASA (or PIX 7/8) you might perhaps use 'host' followed by the outside interface IP instead of 'interface outside' (which is needed for PIX 6; using the actual IP will not work in PIX 6.)
Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.