Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
5
Helpful
5
Replies

Traffic from one VPN tunnel to another

adcorbett_2
Level 1
Level 1

‎07-08-2008 07:10 AM - edited ‎02-21-2020 03:48 PM

Hi - not sure how to do this so I hope you can help. I have a number of servers in a disaster recovery site that is at the other ond of a L2L VPN tunnel. Now on this end, I have users who VPN in to the ASA. The users can get everywhere except to the machines on the other end of the L2L tunnel. Let me know if you have any ideas. How can I route or allow traffic from users coming in on a remote access vpn tunnel to a server at the far end of an L2L tunnel? I can post a config if needed. Thanks!

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎07-08-2008 08:03 AM

You cannot do this is versions 6 and below, but the command you need is:-

same-security-traffic permit intra-interface

HTH.

adcorbett_2
Level 1
Level 1
In response to a.alekseev

‎08-05-2008 06:52 AM

Had to step away from this to deal with some other stuff, but now I am back. Ok, so I added that command but still cannot get to the DR site. Let me try to explain our setup. In the coporate HQ, we have an ASA 5520 (ASA - 1). Inside address 192.168.2.2. There is a L2L tunnel to an ASA 5520 in another state (ASA - 2) - inside address of that one 192.168.100.2. I have VPN user connect to ASA-1 and they get an address of 192.168.200.X. I need them to to be able to get to the servers behind ASA - 2 (192.168.100.X). The VPN users can get to everything else on our network (192.168.0.0, 10.0.0.0) but not the 192.168.100.0 subnet.

0 Helpful

acomiskey
Level 10
Level 10
In response to adcorbett_2

‎08-05-2008 06:59 AM

You need to add the interesting traffic to ASA 1.

access-list extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

..and ASA 2.

access-list extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0

Also, nat exemption for ASA 2.

access-list extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0

Also, be sure if you are split tunneling the vpn clients, that the 192.168.100 network is being tunneled.

0 Helpful

adcorbett_2
Level 1
Level 1
In response to acomiskey

‎08-05-2008 08:20 AM

ok, thanks I'll give that a shot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents