09-17-2010 09:18 AM - edited 02-21-2020 04:51 PM
Here is the scenario: Users remote vpn access into ASA5510 with split tunneling. The ASA has a site to site tunnel to another site. Remote access vpn users need to be able to come in and then go back out to devices over that site-to site tunnel. Is that even possible? Most of what I see about hairpinning is for internet access when not using split tunneling.
Thanks!
Solved! Go to Solution.
09-17-2010 09:26 AM
You can make this work. First you will need to make sure that the "same-security-traffic permit intra-interface" command is configured. You will then want to update your remote access split-tunneling ACL to include the subnets reachable via the L2L tunnel. This way, the clients will be provided with a static route directing the traffic via the remote access tunnel. The crypto ACL for the L2L tunnel will need to include either a specific or summary entry permitting the VPN client pool to the destination subnets. The corresponding crypto ACL on the far side of the L2L tunnel will need to be updated with a reverse mirror of the hub configuration. Finally, if you have NAT configured on the ASA you will need to include an exemption rule for the VPN client pool->remote subnet traffic flows.
09-17-2010 09:28 AM
Hi,
This link should help you with this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
More specifically, please refer to the section Add a Remote Access VPN to the Configuration.
Hope this helps!!
Regards,
Prapanch
09-17-2010 09:26 AM
You can make this work. First you will need to make sure that the "same-security-traffic permit intra-interface" command is configured. You will then want to update your remote access split-tunneling ACL to include the subnets reachable via the L2L tunnel. This way, the clients will be provided with a static route directing the traffic via the remote access tunnel. The crypto ACL for the L2L tunnel will need to include either a specific or summary entry permitting the VPN client pool to the destination subnets. The corresponding crypto ACL on the far side of the L2L tunnel will need to be updated with a reverse mirror of the hub configuration. Finally, if you have NAT configured on the ASA you will need to include an exemption rule for the VPN client pool->remote subnet traffic flows.
09-17-2010 09:28 AM
Hi,
This link should help you with this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
More specifically, please refer to the section Add a Remote Access VPN to the Configuration.
Hope this helps!!
Regards,
Prapanch
09-17-2010 09:40 AM
Thank you both, the doc got me around third and into home!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide