Communicate Directly Between VPN Tunnel Sites

allan · ‎07-02-2008

I have an ASA 5505 in the main office and at several remote sites. I have setup a site to site vpn tunnel between the main office and each remote site, "Hub and Spoke". I can ping between the main office through each tunnel to the respective remote site. I need to be able to ping directly from each remote site to all other remote sites. Please note I am using ASDM to configure the ASA 5505's. tks

acomiskey · ‎07-02-2008

There are a few things you need to do here.

Main ASA

1. Enable "same-security-traffic permit intra-interface" to allow the vpn traffic to bounce off the outside interface on the hub firewall.

2. Edit your interesting traffic (crypto) acls to reflect the new traffic which will be part of the vpn tunnels between main and remote sites. For instance right now your crypto acls include traffic between main site and remote sites. You need to add acl for traffic between remote site to remote site. The config below will allow traffic from remote site 1 to remote site 2.

access-list crypto1 extended permit ip

access-list crypto2 extended permit ip

Remote ASA's

1. Add the new interesting traffic (crypto) acls. Mirror of the acls at main site ASA.

access-list crypto1 extended permit ip

access-list crypto2 extended permit ip

2. Add nat exemption for traffic from remote sites to remote sites for each remote ASA.

access-list inside_nat0_outbound extended permit ip