Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1648
Views
5
Helpful
3
Replies

Second Network on VPN Split Tunnel

paul.stainton
Level 1
Level 1

‎12-03-2011 10:55 AM

Hi,

Trying to solve a network requirement that involves two VPN's

Current Setup

Local Site:

ASA 5010 installed

Client to Gateway VPN allowing remote clients to access their network, here [Local Site], using Cisco VPN Client Software

Also second VPN connecting the same local network, with a Remote Site using Cisco Site to Site VPN connecting two the networks together.

Split Tunneling has been configured to allow local lan access to remote VPN Cisco VPN Clients when connected.

What I would like to acheive is the ability to allow Cisco VPN clients who have successfully connected to the Local Site, here, also be able to access  the Remote Site that is also connected here, using the Site to Site VPN connection.

E.G. 

Let say, our Local Site is 10.20.30.0/24 and Cisco VPN clients can connect to this network using Cisco VPN client and have Split Tunnelling to allow local Lan Access.

Lets say, a remote network 10.50.15.0/24, using a Cisco Site to Site VPN can also connect to our Local Site 10.20.30.0/24.

I want to allow Cisco VPN clients that successfully connect via Cisco VPN client to 10.20.30.0/24 to be also able to access 10.50.15.0/25

I was thinking of adding 10.50.15.0/24 to the Split Tunnel Access List,  will this work or is there a better way to achieve this?

Thank You

Paul Stainton

Labels:
0 Helpful
3 Replies 3

GiorgiChubko
Level 1
Level 1

‎12-03-2011 03:26 PM

Hello Paul,

Probably both your site to site and remote vpns are terminated on the same interface. By default ASA don’t allow packet to leave the same interface on which it was originally received. To allow same interface routing you need to enable  it. ( Sometimes called IPSec Hairpinning.)

same-security-traffic permit intra-interface

Also you should add remote 10.50.15.0/25 network to split tunnel  list, and check existing nat rules, so traffic can properly pass between client and remote network.

http://iptechtalk.wordpress.com/2009/11/07/ipsec-hairpinning/

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

0 Helpful

Javier Portuguez
Level 9
Level 9

‎12-04-2011 03:12 PM

Hi Paul,

In order to allow the remote clients to access the L2L tunnel, you must first accomplish the following:

1. Add the client´s network to the L2L tunnel´s encryption domain.

2. Add the remote L2L´s network to the split ACL of the VPN clients (in case splitting is configured).

3. Enable same-security-traffic permit intra-interface

4. If you do not have any NAT rule translating / affecting the traffic on the Outside interface then any NAT rules are required since this traffic is not accesing a higher security level.

5. On the remote side make sure you have a NAT rule allowing traffic from the local network to the VPN pool and the update the encryption domain, it should be the same as the one on the remote location.

That should work for you, let us know how it goes.

athukral
Level 1
Level 1
In response to Javier Portuguez

‎12-06-2011 01:13 AM

Hello Paul,  hope you must be doing fine!  have you got the response or you still looking for further response.   Please mark this as answered  and also rate the discussion incase your query is resolved.  Appreciate your time.  Regards,  Ankur   Community Manager: Security and VPN

0 Helpful
Customers Also Viewed These Support Documents