L2L to allow all inside hosts to access remote hosted application.

Unanswered Question
Oct 21st, 2009
User Badges:

We have outsourced our HR application to the vendor to host at their data center. Configuring the tunnel and restricting access is not a problem. What is the best way to allow over 1,500 internal hosts on over 100 different subnets through the VPN tunnel to the remote site using an ASA running v8.2 without adding to many lines to and already large configuration?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 10/21/2009 - 07:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


There's no easy answer to this. Are your 100 subnets summarisable to any extent. If so you could certainly cut the config down by summarising.

Alternatively you could use permit ip any

in your crypto acl but that may be too open for you. Remember that you can use "permit ip any
in your crypto acl and then lock down access via an acl on the inside interface but again without summarisable subnets that won't really help that much.


drakow Wed, 10/21/2009 - 07:21
User Badges:

I can summerize my internal hosts as but the destination is Because their network overlaps I was thinking I could use PAT or NAT for my inside address with a config something like the following:

access-list Lawson_ACL extended permit ip any !!remote hosting network

access-list NoNAT extended permit ip any

I'm just not sure how to do the NAT/PAT part as I am used to the VPN3080 GUI. I do not like ADSM except for monitoring and I am used to the PIX 6.3 CLI but never had a config like this.

drakow Wed, 10/21/2009 - 09:58
User Badges:

I can summerize using and encompass all my internal IPs without overlapping their's.


This Discussion