RA VPN assistance

Unanswered Question
Oct 27th, 2009
User Badges:

Hi all

i have L2L Vpn between an ASA 5510 and a PX515 running fine.

I also have a RA VPN running on the ASA5510

What i would like to do is: have ppl dial in to the ASA and get an IP from the VPN Pool and then access web services sitting behing the remote location's PIX (

so far, ive added a static route ( which is the subnet assigned to the RA users) to go through the outisde interface e.g route outside 81.xxx.xxx.xxx

Ive also added the following to the acl which protects the L2L VPN

access-list acl_l2l_vpn permit ip

Ive done the same but reversed the IP's on the PIX

grateful for your replies


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 10/27/2009 - 10:36
User Badges:
  • Green, 3000 points or more

You will also need this on the ASA.

same-security-traffic permit intra-interface

And did you add the traffic to the nat0 acl on the PIX end?


access-list nat0 permit ip

solpandor Mon, 11/02/2009 - 01:26
User Badges:


can you please explain why i would need the "same-security-traffic permit intra-interface" command.

And yes I have added the subnets to the no nat statements on both the ASA and PIX


solpandor Wed, 01/06/2010 - 07:18
User Badges:


just to update this - this was sorted by adding the RA subnet to the split tunnel ACL

Kent Heide Wed, 01/06/2010 - 08:43
User Badges:

The `same-security-traffic permit intra-interface` allows traffic to pass out the same interface which it arrived on.


This Discussion