ASA-5500s: Remote access users need site-to-site access
I have several ASA-5500-series devices deployed to our various locations. Remote users VPN in to our main office's ASA-5510, but recently they've needed access to the network resources that are available on the site-to-site VPNs. However, remote users are not able to access anything on the site-to-site VPNs, and I'm sure there's some reconfiguration I need to do before it's possible. However, all my attempts thus far have been unsuccessful. Is this possible, and if so, what do I need to reconfigure to make this work? Thanks!
Re: ASA-5500s: Remote access users need site-to-site access
You need to to do 2 things
1) Add your vpn client addresses to the crypto access-lists for the site-to-site VPN tunnels. You will need to do this on both ends of the VPN tunnel. Also if you have nat exemptions for these addresses you will need to add to that as well.
2) Assuming your traffic for the site-to-site VPN's and remote access vpn's comes in on the same interface you will need to enable hairpinning on your ASA ie, traffic can go back out the same interface it was received on. Use the following command
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...