Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA-5500s: Remote access users need site-to-site access

I have several ASA-5500-series devices deployed to our various locations. Remote users VPN in to our main office's ASA-5510, but recently they've needed access to the network resources that are available on the site-to-site VPNs. However, remote users are not able to access anything on the site-to-site VPNs, and I'm sure there's some reconfiguration I need to do before it's possible. However, all my attempts thus far have been unsuccessful. Is this possible, and if so, what do I need to reconfigure to make this work? Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA-5500s: Remote access users need site-to-site access

Yes this is possible.

You need to...

1. enable "same-security-traffic permit intra-interface"

2. Add the traffic from the vpn client subnet to the interesting traffic for the lan2lan tunnel on the local and remote firewalls.

3. If using split tunneling, ensure the remote network you require access to is being tunneled.

This may also help...

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Please rate helpful posts.

3 REPLIES
Hall of Fame Super Blue

Re: ASA-5500s: Remote access users need site-to-site access

Hi

You need to to do 2 things

1) Add your vpn client addresses to the crypto access-lists for the site-to-site VPN tunnels. You will need to do this on both ends of the VPN tunnel. Also if you have nat exemptions for these addresses you will need to add to that as well.

2) Assuming your traffic for the site-to-site VPN's and remote access vpn's comes in on the same interface you will need to enable hairpinning on your ASA ie, traffic can go back out the same interface it was received on. Use the following command

same-security-traffic permit intra-interface

HTH

Jon

Green

Re: ASA-5500s: Remote access users need site-to-site access

Yes this is possible.

You need to...

1. enable "same-security-traffic permit intra-interface"

2. Add the traffic from the vpn client subnet to the interesting traffic for the lan2lan tunnel on the local and remote firewalls.

3. If using split tunneling, ensure the remote network you require access to is being tunneled.

This may also help...

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Please rate helpful posts.

New Member

Re: ASA-5500s: Remote access users need site-to-site access

Good to see two stars replying almost instantly!

120
Views
4
Helpful
3
Replies