cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
677
Views
0
Helpful
7
Replies

Route between two VPN's

leoruben2308
Level 1
Level 1

Hi All,

I have been endlessly searching around online, and trying things on the firewall, and cant seem to find an answer to this problem. Its probably something really simple right under my nose!

I am using an ASA 5510, which currently has a few seperate site-to-site VPN connections configured, which connect to other Cisco devices on clients networks.

I work from home, so also connect to our network using Remote Access VPN (anyconnect) to connect to the network at the datacentre.

Just to be clear, here is my amazingly drawn network diagram;

      [[my house]]-------------- <anyconnect VPN>------------[[ASA 5510 / Datacentre]]-----------<site-to-site>-----------------[[Client network]]

The problem I am having, is that I cannot connect directly from my house to the client network, I need to RDP into some server in the datacentre, then from there I can see the Cleints network.

Is there routing to be setup somewhere? between VPN's? Ive looked into the routing options on the firewall and cand seem to find anything that works.

I've searched for this and cant find answers, even some sources saying its impossible. Surely not?????

1 Accepted Solution

Accepted Solutions

I put all your remote LAN segment into a object-group.

object-group network REMOTE-LANS
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248
network-object 10.0.21.0 255.255.255.0
network-object 212.9.20.240 255.255.255.248

access-list outside_nat0 extended permit ip 10.0.20.0 255.255.255.0 object-group REMOTE-LANS
access-list outside_nat0 extended permit ip object-group REMOTE-LANS 10.0.20.0 255.255.255.0

same-security-traffic permit intra-interface

nat (outside) 0 access-list outside_nat0

Let me know, the result

thanks

View solution in original post

7 Replies 7

rizwanr74
Level 7
Level 7

Yes it is possible and you just missing no-nat on the outside interface.

Please post your config and I will advise the no-nat where it must go.

thanks

Rizwan Rafeek

You will need to include the client network in your tunnel list, and configure 'same-security-traffic permit intra-interface'.  Also, you will need to modify the site to site tunnel between the client network and the data center so that the addresses handed out to AnyConnect users are included in the encryption domain.

Matt

Thanks, its good to know it is possible after all.

Ill have to look at the 'same-security-traffic permit intra-interface' command

The addresses handed out to the Anyconnect clients are in the same subnet / range as the datacentre private network (as there are only about 10 devices there all on static private addresses), so if the client network already has our private network as part of the encryption domain, and the anyconnect clients are on the same addresses, nothing is required in that respect?

Hi Rizwan, I have attached the config to my first post, thanks.

name 10.0.21.0 Gower-Private
name 10.0.20.105 MAIL_APP_DNS

object-group network DM_INLINE_NETWORK_4
network-object host MAIL_APP_DNS
network-object host 10.0.20.110

object-group network DM_INLINE_NETWORK_3
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248

access-list outside_1_cryptomap extended permit ip 10.0.20.0 255.255.255.0 212.9.20.240 255.255.255.248
access-list outside_2_cryptomap_1 extended permit ip 10.0.20.0 255.255.255.0 Gower-Private 255.255.255.0
access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

which is your remote LAN network segment, you are having issue with, cannot connect while on remote vpn client?

I put all your remote LAN segment into a object-group.

object-group network REMOTE-LANS
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248
network-object 10.0.21.0 255.255.255.0
network-object 212.9.20.240 255.255.255.248

access-list outside_nat0 extended permit ip 10.0.20.0 255.255.255.0 object-group REMOTE-LANS
access-list outside_nat0 extended permit ip object-group REMOTE-LANS 10.0.20.0 255.255.255.0

same-security-traffic permit intra-interface

nat (outside) 0 access-list outside_nat0

Let me know, the result

thanks

Thank you very much!!! This worked a treat.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: