ASA-5500s: Remote access users need site-to-site access

Answered Question
Jul 9th, 2007
User Badges:

I have several ASA-5500-series devices deployed to our various locations. Remote users VPN in to our main office's ASA-5510, but recently they've needed access to the network resources that are available on the site-to-site VPNs. However, remote users are not able to access anything on the site-to-site VPNs, and I'm sure there's some reconfiguration I need to do before it's possible. However, all my attempts thus far have been unsuccessful. Is this possible, and if so, what do I need to reconfigure to make this work? Thanks!

Correct Answer by acomiskey about 10 years 2 weeks ago

Yes this is possible.


You need to...


1. enable "same-security-traffic permit intra-interface"


2. Add the traffic from the vpn client subnet to the interesting traffic for the lan2lan tunnel on the local and remote firewalls.


3. If using split tunneling, ensure the remote network you require access to is being tunneled.


This may also help...


http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml


Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Mon, 07/09/2007 - 06:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You need to to do 2 things


1) Add your vpn client addresses to the crypto access-lists for the site-to-site VPN tunnels. You will need to do this on both ends of the VPN tunnel. Also if you have nat exemptions for these addresses you will need to add to that as well.


2) Assuming your traffic for the site-to-site VPN's and remote access vpn's comes in on the same interface you will need to enable hairpinning on your ASA ie, traffic can go back out the same interface it was received on. Use the following command


same-security-traffic permit intra-interface



HTH


Jon

Correct Answer
acomiskey Mon, 07/09/2007 - 06:24
User Badges:
  • Green, 3000 points or more

Yes this is possible.


You need to...


1. enable "same-security-traffic permit intra-interface"


2. Add the traffic from the vpn client subnet to the interesting traffic for the lan2lan tunnel on the local and remote firewalls.


3. If using split tunneling, ensure the remote network you require access to is being tunneled.


This may also help...


http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml


Please rate helpful posts.

Actions

This Discussion