VPN Site-Site issue

Unanswered Question
Jan 13th, 2010


I'm had 2 site-site vpn connection to my ASA 5510 version 8.0(4).

However now i wish to have connectivity between both remote sites.

How can i proceed with it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gammatel1 Wed, 01/13/2010 - 16:30

You need to configure the following command.

same-security-traffic permit intra-interface

This will allow communications between your VPNs - however you will need to ammend any VPN ACLs (used in crypto map) to permit traffic between the respective peer networks.


hdashnau Wed, 01/13/2010 - 17:47

Lets say you have router A, B, and C. You already have a tunnel between A<=>B and a tunnel between A<=>C. You now want traffic between B<=>C. You can either....

1. Send the traffic between B and C through A. This would mean adding "same-security-traffic permit intra-interface" on A so that the traffic that comes in the outside interface of A can also leave out the outside interface of A since it will need to be redirected. And you should adjust the crypto maps on all 3 devices:

-On A, permit B-->C and C-->B

-On B, permit B-->C

-On C, permit C-->B


2. Just define the crypto on B and C (and don't send it through A)

-On B, permit B-->C

-On C, permit C-->B


robbie.teo Wed, 01/13/2010 - 19:43

Thanks for the reply.

However, after adding those and try to re- established vpn link it still doesn't work.

Do you know if there's anything else i missed out?

1) A (ASA) - added the crypto to allow B -> C and C->B  and same-security-traffic permit intra-interface command

2) On the router of B - added additional access-list of C network

3) On the router of C - added additional access-list of B network

gammatel1 Thu, 01/14/2010 - 00:48

Without seeing your configuration it is difficult to work out the issue - if you use NAT/PAT on your B and C firewalls - then you may need to update nat-exemption policies for the relevant networks.  If you still need further help - can you cut and paste the relevant parts of your configuration - specifically the crypto maps, NAT policies and associated ACLs for each firewall


This Discussion