Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Communicate Directly Between VPN Site to Site Locations

I have an ASA 5505 in the main office and at seven remote sites. I have setup a site to site vpn tunnel between the main office and each remote site, "Hub and Spoke". I can ping between the main office through each tunnel to the respective remote site. I need to be able to ping directly from each remote site to all other remote sites. Please note I am using ASDM to configure the ASA 5505's. tks

3 REPLIES
Green

Re: Communicate Directly Between VPN Site to Site Locations

There are a few things you need to do here.

Main ASA

1. Enable "same-security-traffic permit intra-interface" to allow the vpn traffic to bounce off the outside interface on the hub firewall.

2. Edit your interesting traffic (crypto) acls to reflect the new traffic which will be part of the vpn tunnels between main and remote sites. For instance right now your crypto acls include traffic between main site and remote sites. You need to add acl for traffic between remote site to remote site. The config below will allow traffic from remote site 1 to remote site 2.

access-list crypto1 extended permit ip

access-list crypto1 extended permit ip

access-list crypto2 extended permit ip

access-list crypto2 extended permit ip

Remote ASA's

1. Add the new interesting traffic (crypto) acls. Mirror of the acls at main site ASA.

access-list crypto1 extended permit ip

access-list crypto1 extended permit ip

access-list crypto2 extended permit ip

access-list crypto2 extended permit ip

2. Add nat exemption for traffic from remote sites to remote sites for each remote ASA.

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

Community Member

Re: Communicate Directly Between VPN Site to Site Locations

Is there anyway to translate all of this into ASDM?

Green

Re: Communicate Directly Between VPN Site to Site Locations

Probably..haha just kidding.

The nat exemption will be under Config -> Firewall -> NAT

Crypto ACL's are under Config -> Remote Access VPN -> Crypto ACL's or something to that effect.

228
Views
4
Helpful
3
Replies
CreatePlease to create content