Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L to allow all inside hosts to access remote hosted application.

We have outsourced our HR application to the vendor to host at their data center. Configuring the tunnel and restricting access is not a problem. What is the best way to allow over 1,500 internal hosts on over 100 different subnets through the VPN tunnel to the remote site using an ASA running v8.2 without adding to many lines to and already large configuration?

3 REPLIES
Hall of Fame Super Blue

Re: L2L to allow all inside hosts to access remote hosted applic

David

There's no easy answer to this. Are your 100 subnets summarisable to any extent. If so you could certainly cut the config down by summarising.

Alternatively you could use permit ip any


in your crypto acl but that may be too open for you. Remember that you can use "permit ip any
in your crypto acl and then lock down access via an acl on the inside interface but again without summarisable subnets that won't really help that much.

Jon

New Member

Re: L2L to allow all inside hosts to access remote hosted applic

I can summerize my internal hosts as 10.0.0.0/8 but the destination is 10.200.14.240/28. Because their network overlaps I was thinking I could use PAT or NAT for my inside address with a config something like the following:

access-list Lawson_ACL extended permit ip any 10.200.14.240 255.255.255.240 !!remote hosting network

access-list NoNAT extended permit ip any 10.200.14.240 255.255.255.240

I'm just not sure how to do the NAT/PAT part as I am used to the VPN3080 GUI. I do not like ADSM except for monitoring and I am used to the PIX 6.3 CLI but never had a config like this.

New Member

Re: L2L to allow all inside hosts to access remote hosted applic

I can summerize using 10.0.0.0/9 and encompass all my internal IPs without overlapping their's.

113
Views
0
Helpful
3
Replies