Trying to solve a network requirement that involves two VPN's
ASA 5010 installed
Client to Gateway VPN allowing remote clients to access their network, here [Local Site], using Cisco VPN Client Software
Also second VPN connecting the same local network, with a Remote Site using Cisco Site to Site VPN connecting two the networks together.
Split Tunneling has been configured to allow local lan access to remote VPN Cisco VPN Clients when connected.
What I would like to acheive is the ability to allow Cisco VPN clients who have successfully connected to the Local Site, here, also be able to access the Remote Site that is also connected here, using the Site to Site VPN connection.
Let say, our Local Site is 10.20.30.0/24 and Cisco VPN clients can connect to this network using Cisco VPN client and have Split Tunnelling to allow local Lan Access.
Lets say, a remote network 10.50.15.0/24, using a Cisco Site to Site VPN can also connect to our Local Site 10.20.30.0/24.
I want to allow Cisco VPN clients that successfully connect via Cisco VPN client to 10.20.30.0/24 to be also able to access 10.50.15.0/25
I was thinking of adding 10.50.15.0/24 to the Split Tunnel Access List, will this work or is there a better way to achieve this?
Probably both your site to site and remote vpns are terminated on the same interface. By default ASA don’t allow packet to leave the same interface on which it was originally received. To allow same interface routing you need to enable it. ( Sometimes called IPSec Hairpinning.)
same-security-traffic permit intra-interface
Also you should add remote 10.50.15.0/25 network to split tunnel list, and check existing nat rules, so traffic can properly pass between client and remote network.
4. If you do not have any NAT rule translating / affecting the traffic on the Outside interface then any NAT rules are required since this traffic is not accesing a higher security level.
5. On the remote side make sure you have a NAT rule allowing traffic from the local network to the VPN pool and the update the encryption domain, it should be the same as the one on the remote location.
That should work for you, let us know how it goes.
Hello Paul, hope you must be doing fine! have you got the response or you still looking for further response. Please mark this as answered and also rate the discussion incase your query is resolved. Appreciate your time. Regards, Ankur Community Manager: Security and VPN
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...