I have two site-2-site vpns and also remote vpn clients. I want to create full mesh between the L2L vpns and also the remote access clients so that all sites can access each other & the remote users can also access the sites. How can i achieve this in ASA. I guess same-security-traffic permit intra-interface works, but whats the ACLs to be configured?
It's difficult to explain how to do this without specific IP addressing but what the approach I would follow would be to first configure the site-to-site VPNs and make sure that everything is working. After this, configure the remote access VPN.
If for example the remote users are in 192.168.200.0/24 subnet and you have a VPN site with the 192.168.1.0/24 subnet then you should create an access-list applied on the outside interface (incoming) with the source being 192.168.200.0/24 and the destination 192.168.1.0/24, for traffic from the remote to the site VPN.
You will need to set up the appropriate exempt NATs but although it's a little messy it works. Ah and keep that same security traffic permit intra-interface rule.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...