site-to-site vpn question

ASA 5501 and 5505 configured successfully for site-to-site VPN.
Clients on both ends can access each other just fine. The only
problem is accessing clients on the opposite LAN from the firewall
devices themselves. Among other reasons, I need this to upload the
config to a TFTP server using "write net". However, I can't ping any
machines on the other side from the firewall itself. Similarly, I
can't ping the internal IP of the firewalls from the opposite LAN.
Thanks,
Peter.
Reply to
PL
Loading thread data ...
The source IP for such transactions are the -outside- IP address on the ASA (or rather the IP of the interface closest to the other end.) Your VPNs are probably based upon -inside- IP addresses.
It is legal (and works well) to include the outside IP in the ACL that defines the VPN. For example (PIX 6 syntax)
access-list vpn2ax permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0 access-list vpn2ax permit ip interface outside 192.168.5.0 255.255.255.0
For the ASA (or PIX 7/8) you might perhaps use 'host' followed by the outside interface IP instead of 'interface outside' (which is needed for PIX 6; using the actual IP will not work in PIX 6.)
Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.