07-02-2008 02:18 AM
I have an ASA 5505 in the main office and at seven remote sites. I have setup a site to site vpn tunnel between the main office and each remote site, "Hub and Spoke". I can ping between the main office through each tunnel to the respective remote site. I need to be able to ping directly from each remote site to all other remote sites. Please note I am using ASDM to configure the ASA 5505's. tks
07-02-2008 07:02 AM
There are a few things you need to do here.
Main ASA
1. Enable "same-security-traffic permit intra-interface" to allow the vpn traffic to bounce off the outside interface on the hub firewall.
2. Edit your interesting traffic (crypto) acls to reflect the new traffic which will be part of the vpn tunnels between main and remote sites. For instance right now your crypto acls include traffic between main site and remote sites. You need to add acl for traffic between remote site to remote site. The config below will allow traffic from remote site 1 to remote site 2.
access-list crypto1 extended permit ip
access-list crypto1 extended permit ip
access-list crypto2 extended permit ip
access-list crypto2 extended permit ip
Remote ASA's
1. Add the new interesting traffic (crypto) acls. Mirror of the acls at main site ASA.
access-list crypto1 extended permit ip
access-list crypto1 extended permit ip
access-list crypto2 extended permit ip
access-list crypto2 extended permit ip
2. Add nat exemption for traffic from remote sites to remote sites for each remote ASA.
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
07-02-2008 10:46 AM
Is there anyway to translate all of this into ASDM?
07-02-2008 12:28 PM
Probably..haha just kidding.
The nat exemption will be under Config -> Firewall -> NAT
Crypto ACL's are under Config -> Remote Access VPN -> Crypto ACL's or something to that effect.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: