Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Second Network on VPN Split Tunnel

Hi,

Trying to solve a network requirement that involves two VPN's

Current Setup

Local Site:

ASA 5010 installed

Client to Gateway VPN allowing remote clients to access their network, here [Local Site], using Cisco VPN Client Software

Also second VPN connecting the same local network, with a Remote Site using Cisco Site to Site VPN connecting two the networks together.

Split Tunneling has been configured to allow local lan access to remote VPN Cisco VPN Clients when connected.

What I would like to acheive is the ability to allow Cisco VPN clients who have successfully connected to the Local Site, here, also be able to access  the Remote Site that is also connected here, using the Site to Site VPN connection.

E.G. 

Let say, our Local Site is 10.20.30.0/24 and Cisco VPN clients can connect to this network using Cisco VPN client and have Split Tunnelling to allow local Lan Access.

Lets say, a remote network 10.50.15.0/24, using a Cisco Site to Site VPN can also connect to our Local Site 10.20.30.0/24.

I want to allow Cisco VPN clients that successfully connect via Cisco VPN client to 10.20.30.0/24 to be also able to access 10.50.15.0/25

I was thinking of adding 10.50.15.0/24 to the Split Tunnel Access List,  will this work or is there a better way to achieve this?

Thank You

Paul Stainton

Everyone's tags (4)
3 REPLIES
New Member

Re: Second Network on VPN Split Tunnel

Hello Paul,

Probably both your site to site and remote vpns are terminated on the same interface. By default ASA don’t allow packet to leave the same interface on which it was originally received. To allow same interface routing you need to enable  it. ( Sometimes called IPSec Hairpinning.)

same-security-traffic permit intra-interface

Also you should add remote 10.50.15.0/25 network to split tunnel  list, and check existing nat rules, so traffic can properly pass between client and remote network.

http://iptechtalk.wordpress.com/2009/11/07/ipsec-hairpinning/

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Re: Second Network on VPN Split Tunnel

Hi Paul,

In order to allow the remote clients to access the L2L tunnel, you must first accomplish the following:

1. Add the client´s network to the L2L tunnel´s encryption domain.

2. Add the remote L2L´s network to the split ACL of the VPN clients (in case splitting is configured).

3. Enable same-security-traffic permit intra-interface

4. If you do not have any NAT rule translating / affecting the traffic on the Outside interface then any NAT rules are required since this traffic is not accesing a higher security level.

5. On the remote side make sure you have a NAT rule allowing traffic from the local network to the VPN pool and the update the encryption domain, it should be the same as the one on the remote location.

That should work for you, let us know how it goes.

Silver

Second Network on VPN Split Tunnel

Hello Paul,  hope you must be doing fine!  have you got the response or you still looking for further response.   Please mark this as answered  and also rate the discussion incase your query is resolved.  Appreciate your time.  Regards,  Ankur   Community Manager: Security and VPN

952
Views
0
Helpful
3
Replies