RA VPN assistance

SOL10 · ‎10-27-2009

Hi all

i have L2L Vpn between an ASA 5510 and a PX515 running fine.

I also have a RA VPN running on the ASA5510

What i would like to do is: have ppl dial in to the ASA and get an IP from the VPN Pool 192.168.10.0/24 and then access web services sitting behing the remote location's PIX (192.168.3.0/24)

so far, ive added a static route (192.168.10.0/24 which is the subnet assigned to the RA users) to go through the outisde interface e.g route outside 192.168.10.0 255.255.255.0 81.xxx.xxx.xxx

Ive also added the following to the acl which protects the L2L VPN

access-list acl_l2l_vpn permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

Ive done the same but reversed the IP's on the PIX

grateful for your replies

thanks

acomiskey · ‎10-27-2009

You will also need this on the ASA.

same-security-traffic permit intra-interface

And did you add the traffic to the nat0 acl on the PIX end?

ex.

access-list nat0 permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0

SOL10 · ‎11-02-2009

hi,

can you please explain why i would need the "same-security-traffic permit intra-interface" command.

And yes I have added the subnets to the no nat statements on both the ASA and PIX

thanks

SOL10 · ‎01-06-2010

Hi

just to update this - this was sorted by adding the RA subnet to the split tunnel ACL

Kent Heide · ‎01-06-2010

The `same-security-traffic permit intra-interface` allows traffic to pass out the same interface which it arrived on.