Solved: L2L VPN issues

Ge Qu · ‎07-26-2017

Hi,

We have a L2L vpn configured and working well on our ASA 5520 firewall. We NAT all the traffic to one public IP and we are able to access everything to the remote site via the VPN tunnle.

Now, we want someone from remote site to access one Internal IP of out site, I don't know what access-list i need to implement and where I can apply that access-list.

Can anyone help me to explain how this gonna work?

The traffic will arrive the ASA on which interface? Do I need to apply an access-list on that interface? Do I need to noNAT the destnation IP which is one of our internal IPs?

Thank you.

Mohammed al Baqari · ‎07-26-2017

Hi,

You have two options:

1. Create new tunnel group for the new remote site and make sure that only the specific IP is passed in the split tunnel ACL. This will prevent the remote site to connect to other IPs

2. You can create an ACL and assign it to same group-policy in ASA using vpn-filter command. This ACL can allow access as required

I would vote for method one.

View solution in original post

Mohammed al Baqari · ‎07-26-2017

Hi,

You have two options:

1. Create new tunnel group for the new remote site and make sure that only the specific IP is passed in the split tunnel ACL. This will prevent the remote site to connect to other IPs

2. You can create an ACL and assign it to same group-policy in ASA using vpn-filter command. This ACL can allow access as required

I would vote for method one.