Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 comunication between VPN Tunnels

I got a Cisco ASA 5510 it manage two VPN tunnels that works just fine, also we configure the Remote Client, that works ok, my question is, how can i achieve to comunicate the client with the the vpn tunnels and the vpn tunnels between them?

Thanks a lot.

FB

7 REPLIES
New Member

Re: ASA 5510 comunication between VPN Tunnels

Hello,

On your ASA use the following command which will enable the communication between tunnels(IPSec hairpinning):

same-security-traffic permit intra-interface

Pradeep

New Member

Re: ASA 5510 comunication between VPN Tunnels

Thanks for the answer, well i read a little about IPSec Hairpinning, and enable: same-security-traffic permit intra-interface

But still cannot comunicate the VPN client with

other VPN tunnels, in fact the Client can ping any host on the INSIDE net, but can't ping any host on VPN site to site tunnels, how can i achieve that?

Thanks.

FB

New Member

Re: ASA 5510 comunication between VPN Tunnels

Do you need to have interesting traffic specified for remote vpn client subnet to site to site tunnel subnet?

New Member

Re: ASA 5510 comunication between VPN Tunnels

i need to tunnel all traffic specified for inside subnet as well the others site to site tunnels subnets, when connecting from the Client and viceversa, since my VPN clients don't access to the internet from the ASA, i already set up things to access internet from the client using the native connection, and tunnel all interest traffic, but i can't access to the other l2l tunnels using it.

Hope be clear.

FB

New Member

Re: ASA 5510 comunication between VPN Tunnels

Hi,

In addition to enabling ipsec hairpinning, you will also need to specify client vpn traffic as "interesting traffic" for it to pass through another l2l tunnel.

Pradeep

New Member

Re: ASA 5510 comunication between VPN Tunnels

I already enable IPSec hairpinning, but keep in mind that this allow traffic between tunnel that have same security level, i don't thing this could work between a remote client ipsec tunnel and a l2l ipsec tunnel, maybe u can give me some further config details on how can i access my l2l tunnels using the remote client and viceversa.

Thanks in advance.

FB

New Member

Re: ASA 5510 comunication between VPN Tunnels

Hi,

What the command "same-security-traffic permit intra-interface" does is to allow VPN traffic to leave the same physical interface once traffic needs to go over the other vpn tunnel - this is nnot the same as client u-turn.

Additionally the ASA will apply f/w rules including acl, nat, etc before sending traffic out the same interface.

After entering the ipsec hairpinning command treat the client traffic as you would any other inside traffic that may need to pass thru the l2l tunnel.

Pradeep

467
Views
0
Helpful
7
Replies
CreatePlease to create content