Site to Site and customer VPN connection

Unanswered Question
Jan 19th, 2009

I have configured site to site VPN connection between 2 of my offices and have customer VPN connection also from one of my office location.

Site A --> Site B --> Inter office VPN

Site B --> Customer Site --> VPN connection

I want to configure Site A to Customer site to connect to servers via Site B.

Site B to Customer site VPN connection I have configured only outbound connection & customer can not connect to our LAN i.e all our traffic goes with NAT address to connect to customer servers.

I have tried some configuration but I can not connect to customer servers from Site A.

I appreciate if any one helps in this issue.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Johan Svanberg Mon, 01/19/2009 - 05:54

Do you have Cisco PIX, ASA or a IOS router?

With the PIX i don't think it's possible, it cannot route traffic that terminates on the same interface.

For the ASA i think it's possible, i actually logged in here to ask a similar question.

Johan Svanberg Tue, 01/20/2009 - 23:07

Have you tried this?

To permit communication between interfaces with equal security levels, or to allow traffic to enter and

exit the same interface, use the same-security-traffic command in global configuration mode. To

disable the same-security traffic, use the no form of this command.

All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall

rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse

the security appliance.

Examples The following example shows how to enable the same-security interface communication:

hostname(config)# same-security-traffic permit inter-interface

The following example shows how to enable traffic to enter and exit the same interface:

hostname(config)# same-security-traffic permit intra-interface

ckuriyar74 Wed, 01/21/2009 - 01:24

I have already tried this.

I opened a TAC case and solved the issue.

Johan Svanberg Wed, 01/21/2009 - 04:57

This i my scenario but should match your environment pretty well. = Main office (Site B) = VPN Client Pool (Site A) = External office (Site Customer)

Configured ipsec vpn client network (Site A) to external office that is a ipsec tunnel (Site Customer) terminating i network main office (Site B)

access-list acl_split_vpnclient standard permit

Configured to route traffic on same interface:

same-security-traffic permit intra-interface

Configured vpn client network (Site A) as a ipsec tunnel to (Site B):

access-list acl_vpn_malmo extended permit ip

Configured no nat rule for vpn client :

access-list acl_nonat_inside extended permit ip

Configured ipsec tunnel at external office (Site Customer) to main office for the vpn client network:

access-list acl_nonat_inside extended permit ip

access-list acl_vpn_sthlm extended permit ip


Skickar signaler till med 32 byte data:

Svar från byte=32 tid=22ms TTL=128

Svar från byte=32 tid=21ms TTL=128


This Discussion