12-03-2011 10:55 AM
Hi,
Trying to solve a network requirement that involves two VPN's
Current Setup
Local Site:
ASA 5010 installed
Client to Gateway VPN allowing remote clients to access their network, here [Local Site], using Cisco VPN Client Software
Also second VPN connecting the same local network, with a Remote Site using Cisco Site to Site VPN connecting two the networks together.
Split Tunneling has been configured to allow local lan access to remote VPN Cisco VPN Clients when connected.
What I would like to acheive is the ability to allow Cisco VPN clients who have successfully connected to the Local Site, here, also be able to access the Remote Site that is also connected here, using the Site to Site VPN connection.
E.G.
Let say, our Local Site is 10.20.30.0/24 and Cisco VPN clients can connect to this network using Cisco VPN client and have Split Tunnelling to allow local Lan Access.
Lets say, a remote network 10.50.15.0/24, using a Cisco Site to Site VPN can also connect to our Local Site 10.20.30.0/24.
I want to allow Cisco VPN clients that successfully connect via Cisco VPN client to 10.20.30.0/24 to be also able to access 10.50.15.0/25
I was thinking of adding 10.50.15.0/24 to the Split Tunnel Access List, will this work or is there a better way to achieve this?
Thank You
Paul Stainton
12-03-2011 03:26 PM
Hello Paul,
Probably both your site to site and remote vpns are terminated on the same interface. By default ASA don’t allow packet to leave the same interface on which it was originally received. To allow same interface routing you need to enable it. ( Sometimes called IPSec Hairpinning.)
same-security-traffic permit intra-interface
Also you should add remote 10.50.15.0/25 network to split tunnel list, and check existing nat rules, so traffic can properly pass between client and remote network.
http://iptechtalk.wordpress.com/2009/11/07/ipsec-hairpinning/
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
12-04-2011 03:12 PM
Hi Paul,
In order to allow the remote clients to access the L2L tunnel, you must first accomplish the following:
1. Add the client´s network to the L2L tunnel´s encryption domain.
2. Add the remote L2L´s network to the split ACL of the VPN clients (in case splitting is configured).
3. Enable same-security-traffic permit intra-interface
4. If you do not have any NAT rule translating / affecting the traffic on the Outside interface then any NAT rules are required since this traffic is not accesing a higher security level.
5. On the remote side make sure you have a NAT rule allowing traffic from the local network to the VPN pool and the update the encryption domain, it should be the same as the one on the remote location.
That should work for you, let us know how it goes.
12-06-2011 01:13 AM
Hello Paul, hope you must be doing fine! have you got the response or you still looking for further response. Please mark this as answered and also rate the discussion incase your query is resolved. Appreciate your time. Regards, Ankur Community Manager: Security and VPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide