Full Mesh Site-2-site VPN in ASA

Unanswered Question
Mar 26th, 2008

I have two site-2-site vpns and also remote vpn clients. I want to create full mesh between the L2L vpns and also the remote access clients so that all sites can access each other & the remote users can also access the sites. How can i achieve this in ASA. I guess same-security-traffic permit intra-interface works, but whats the ACLs to be configured?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pjhenriqs Wed, 03/26/2008 - 07:15

Hi,

It's difficult to explain how to do this without specific IP addressing but what the approach I would follow would be to first configure the site-to-site VPNs and make sure that everything is working. After this, configure the remote access VPN.

If for example the remote users are in 192.168.200.0/24 subnet and you have a VPN site with the 192.168.1.0/24 subnet then you should create an access-list applied on the outside interface (incoming) with the source being 192.168.200.0/24 and the destination 192.168.1.0/24, for traffic from the remote to the site VPN.

You will need to set up the appropriate exempt NATs but although it's a little messy it works. Ah and keep that same security traffic permit intra-interface rule.

Hope it helps in any way.

Thanks,

Paulo

Actions

This Discussion