Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Route between two VPN's

Hi All,

I have been endlessly searching around online, and trying things on the firewall, and cant seem to find an answer to this problem. Its probably something really simple right under my nose!

I am using an ASA 5510, which currently has a few seperate site-to-site VPN connections configured, which connect to other Cisco devices on clients networks.

I work from home, so also connect to our network using Remote Access VPN (anyconnect) to connect to the network at the datacentre.

Just to be clear, here is my amazingly drawn network diagram;

      [[my house]]-------------- <anyconnect VPN>------------[[ASA 5510 / Datacentre]]-----------<site-to-site>-----------------[[Client network]]

The problem I am having, is that I cannot connect directly from my house to the client network, I need to RDP into some server in the datacentre, then from there I can see the Cleints network.

Is there routing to be setup somewhere? between VPN's? Ive looked into the routing options on the firewall and cand seem to find anything that works.

I've searched for this and cant find answers, even some sources saying its impossible. Surely not?????

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Route between two VPN's

I put all your remote LAN segment into a object-group.

object-group network REMOTE-LANS
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248
network-object 10.0.21.0 255.255.255.0
network-object 212.9.20.240 255.255.255.248

access-list outside_nat0 extended permit ip 10.0.20.0 255.255.255.0 object-group REMOTE-LANS
access-list outside_nat0 extended permit ip object-group REMOTE-LANS 10.0.20.0 255.255.255.0

same-security-traffic permit intra-interface

nat (outside) 0 access-list outside_nat0

Let me know, the result

thanks

7 REPLIES

Route between two VPN's

Yes it is possible and you just missing no-nat on the outside interface.

Please post your config and I will advise the no-nat where it must go.

thanks

Rizwan Rafeek

New Member

Route between two VPN's

You will need to include the client network in your tunnel list, and configure 'same-security-traffic permit intra-interface'.  Also, you will need to modify the site to site tunnel between the client network and the data center so that the addresses handed out to AnyConnect users are included in the encryption domain.

Matt

New Member

Route between two VPN's

Thanks, its good to know it is possible after all.

Ill have to look at the 'same-security-traffic permit intra-interface' command

The addresses handed out to the Anyconnect clients are in the same subnet / range as the datacentre private network (as there are only about 10 devices there all on static private addresses), so if the client network already has our private network as part of the encryption domain, and the anyconnect clients are on the same addresses, nothing is required in that respect?

New Member

Route between two VPN's

Hi Rizwan, I have attached the config to my first post, thanks.

Re: Route between two VPN's

name 10.0.21.0 Gower-Private
name 10.0.20.105 MAIL_APP_DNS

object-group network DM_INLINE_NETWORK_4
network-object host MAIL_APP_DNS
network-object host 10.0.20.110

object-group network DM_INLINE_NETWORK_3
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248

access-list outside_1_cryptomap extended permit ip 10.0.20.0 255.255.255.0 212.9.20.240 255.255.255.248
access-list outside_2_cryptomap_1 extended permit ip 10.0.20.0 255.255.255.0 Gower-Private 255.255.255.0
access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

which is your remote LAN network segment, you are having issue with, cannot connect while on remote vpn client?

Re: Route between two VPN's

I put all your remote LAN segment into a object-group.

object-group network REMOTE-LANS
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248
network-object 10.0.21.0 255.255.255.0
network-object 212.9.20.240 255.255.255.248

access-list outside_nat0 extended permit ip 10.0.20.0 255.255.255.0 object-group REMOTE-LANS
access-list outside_nat0 extended permit ip object-group REMOTE-LANS 10.0.20.0 255.255.255.0

same-security-traffic permit intra-interface

nat (outside) 0 access-list outside_nat0

Let me know, the result

thanks

New Member

Route between two VPN's

Thank you very much!!! This worked a treat.

446
Views
0
Helpful
7
Replies