Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Remote site through site-to-site

I want to be sure if this is an working configuration:

"local site"

Int vlan x

description ** inside **

ip address 192.168.2.0/24

!

object network inside-local-network

subnet 192.168.2.0 255.255.255.0

!

object network inside-sslvpn-network

subnet 192.168.50.96 255.255.255.224

!

object network remote-network

subnet 192.168.1.0 255.255.255.0

!

nat (inside,outside) source static any any destination static inside-sslvpn-network inside-sslvpn-network

!

nat (inside,outside) source static inside-local-network  inside-local-network destination static remote_network remote_network

nat (inside,outside) source static inside-local-network  inside-local-network  destination static inside-sslvpn-network inside-sslvpn-network

!

same-security-traffic permit intra-interface

i am using "split_ACL" as well:

access-list split extended permit ip object inside-local-network object inside-sslvpn-network

access-list split extended permit ip object inside-local-network object remote-network

****************************************************************************************************************************************

"remote site"

Int vlan x

description ** inside **

ip address 192.168.1.1/24

!

object network inside-local-network

subnet 192.168.1.0 255.255.255.0

!

object network inside-sslvpn-network

subnet 192.168.50.96 255.255.255.224

!

object network remote-network

subnet 192.168.2.0 255.255.255.0

!

nat (inside,outside) source static any any destination static inside-sslvpn-network inside-sslvpn-network

!

nat (inside,outside) source static inside-local-network inside-local-network  destination static remote_network remote_network

nat (inside,outside) source static inside-local-network inside-local-network destination static inside-sslvpn-network

inside-sslvpn-network

!

same-security-traffic permit intra-interface

access-list split extended permit ip object inside-local-network object inside-sslvpn-network

access-list split extended permit ip object inside-local-network object remote-network

Am doing something wrong here guys?

3 REPLIES
New Member

Access Remote site through site-to-site

Maybe I have just been unclear on my previous comment

Thre remote users are connting via AnyConnect to "local site" and want to access resources on "remote site"

Access Remote site through site-to-site

Hello Vucko,

I mean if what you are looking is to evaluate if each of the ASA´s  has the right nat statements for the users to use the anyconnect client and get natted properly: yes, the nat looks good

.

You also have the rules to allowt traffic being generated  behind  the same interface...

Let me know if this is what you want to accomplish,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Access Remote site through site-to-site

thank for your help so far Julio!

I don't really understand well what you exactly mean with "generating rules to allowt traffic being generated  behind  the same interface..."

how should those rules looked like ?

/S

265
Views
0
Helpful
3
Replies
CreatePlease to create content