RA VPN assistance

Unanswered Question
Oct 27th, 2009
User Badges:

Hi all


i have L2L Vpn between an ASA 5510 and a PX515 running fine.


I also have a RA VPN running on the ASA5510


What i would like to do is: have ppl dial in to the ASA and get an IP from the VPN Pool 192.168.10.0/24 and then access web services sitting behing the remote location's PIX (192.168.3.0/24)


so far, ive added a static route (192.168.10.0/24 which is the subnet assigned to the RA users) to go through the outisde interface e.g route outside 192.168.10.0 255.255.255.0 81.xxx.xxx.xxx


Ive also added the following to the acl which protects the L2L VPN

access-list acl_l2l_vpn permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0


Ive done the same but reversed the IP's on the PIX


grateful for your replies


thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Tue, 10/27/2009 - 10:36
User Badges:
  • Green, 3000 points or more

You will also need this on the ASA.


same-security-traffic permit intra-interface


And did you add the traffic to the nat0 acl on the PIX end?


ex.


access-list nat0 permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0


solpandor Mon, 11/02/2009 - 01:26
User Badges:

hi,


can you please explain why i would need the "same-security-traffic permit intra-interface" command.


And yes I have added the subnets to the no nat statements on both the ASA and PIX


thanks

solpandor Wed, 01/06/2010 - 07:18
User Badges:

Hi

just to update this - this was sorted by adding the RA subnet to the split tunnel ACL

Kent Heide Wed, 01/06/2010 - 08:43
User Badges:

The `same-security-traffic permit intra-interface` allows traffic to pass out the same interface which it arrived on.

Actions

This Discussion