Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site and customer VPN connection

I have configured site to site VPN connection between 2 of my offices and have customer VPN connection also from one of my office location.

Site A --> Site B --> Inter office VPN

Site B --> Customer Site --> VPN connection

I want to configure Site A to Customer site to connect to servers via Site B.

Site B to Customer site VPN connection I have configured only outbound connection & customer can not connect to our LAN i.e all our traffic goes with NAT address to connect to customer servers.

I have tried some configuration but I can not connect to customer servers from Site A.

I appreciate if any one helps in this issue.

Thanks,

Chandru

6 REPLIES
New Member

Re: Site to Site and customer VPN connection

Do you have Cisco PIX, ASA or a IOS router?

With the PIX i don't think it's possible, it cannot route traffic that terminates on the same interface.

For the ASA i think it's possible, i actually logged in here to ask a similar question.

New Member

Re: Site to Site and customer VPN connection

I have Cisco ASA and tried configuring but no luck

New Member

Re: Site to Site and customer VPN connection

Have you tried this?

To permit communication between interfaces with equal security levels, or to allow traffic to enter and

exit the same interface, use the same-security-traffic command in global configuration mode. To

disable the same-security traffic, use the no form of this command.

All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall

rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse

the security appliance.

Examples The following example shows how to enable the same-security interface communication:

hostname(config)# same-security-traffic permit inter-interface

The following example shows how to enable traffic to enter and exit the same interface:

hostname(config)# same-security-traffic permit intra-interface

New Member

Re: Site to Site and customer VPN connection

I have already tried this.

I opened a TAC case and solved the issue.

New Member

Re: Site to Site and customer VPN connection

Ok! :)

New Member

Re: Site to Site and customer VPN connection

This i my scenario but should match your environment pretty well.

192.168.40.0/24 = Main office (Site B)

192.168.50.0/24 = VPN Client Pool (Site A)

192.168.0.0/25 = External office (Site Customer)

Configured ipsec vpn client network (Site A) to external office that is a ipsec tunnel (Site Customer) terminating i network main office (Site B)

access-list acl_split_vpnclient standard permit 192.168.0.0 255.255.255.0

Configured to route traffic on same interface:

same-security-traffic permit intra-interface

Configured vpn client network (Site A) as a ipsec tunnel to (Site B):

access-list acl_vpn_malmo extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0

Configured no nat rule for vpn client :

access-list acl_nonat_inside extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0

Configured ipsec tunnel at external office (Site Customer) to main office for the vpn client network:

access-list acl_nonat_inside extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list acl_vpn_sthlm extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

C:\>ping 192.168.0.54

Skickar signaler till 192.168.0.54 med 32 byte data:

Svar från 192.168.0.54: byte=32 tid=22ms TTL=128

Svar från 192.168.0.54: byte=32 tid=21ms TTL=128

111
Views
0
Helpful
6
Replies
CreatePlease to create content