ASA-5500s: Remote access users need site-to-site access

Answered Question
Jul 9th, 2007

I have several ASA-5500-series devices deployed to our various locations. Remote users VPN in to our main office's ASA-5510, but recently they've needed access to the network resources that are available on the site-to-site VPNs. However, remote users are not able to access anything on the site-to-site VPNs, and I'm sure there's some reconfiguration I need to do before it's possible. However, all my attempts thus far have been unsuccessful. Is this possible, and if so, what do I need to reconfigure to make this work? Thanks!

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 4 months ago

Yes this is possible.

You need to...

1. enable "same-security-traffic permit intra-interface"

2. Add the traffic from the vpn client subnet to the interesting traffic for the lan2lan tunnel on the local and remote firewalls.

3. If using split tunneling, ensure the remote network you require access to is being tunneled.

This may also help...

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Mon, 07/09/2007 - 06:24

Hi

You need to to do 2 things

1) Add your vpn client addresses to the crypto access-lists for the site-to-site VPN tunnels. You will need to do this on both ends of the VPN tunnel. Also if you have nat exemptions for these addresses you will need to add to that as well.

2) Assuming your traffic for the site-to-site VPN's and remote access vpn's comes in on the same interface you will need to enable hairpinning on your ASA ie, traffic can go back out the same interface it was received on. Use the following command

same-security-traffic permit intra-interface

HTH

Jon

Correct Answer
acomiskey Mon, 07/09/2007 - 06:24

Yes this is possible.

You need to...

1. enable "same-security-traffic permit intra-interface"

2. Add the traffic from the vpn client subnet to the interesting traffic for the lan2lan tunnel on the local and remote firewalls.

3. If using split tunneling, ensure the remote network you require access to is being tunneled.

This may also help...

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Please rate helpful posts.

Actions

This Discussion