Can somebody guide me how to access the network behind other end of site to site vpn while vpn client connects to the ASA.
Presently site to site vpn is running between two ASA.
Remote vpn too has been created and is able to access the network behind this ASA i.e local network.
I somehow wanted to use this remote vpn pool to act as interseting traffic to access the remote network.
I've done this and all you need is to have the L2L and the remote VPN clients working and terminating on the ASA.
Then, include the pool in the interesting traffic for the L2L and the remote L2L subnet in the allowed VPN traffic for the VPN clients.
Enable the U-turn feature on the ASA.
This link will help you:
I want to setup the same. I am unable to open the link. Is it possible to send the file in the PDF format?
See if you can access the link:
If not, you can tell us which are the networks on all sides and the VPN client, so we can guide you with the commands.
Thanks very much for your prompt response and assistance. I was able to get the PDF file.
One question: in your previous reply, you said "I've done this and all you need is to have the L2L and the remote VPN clients working and terminating on the ASA". How can I tell if it is terminating on the ASA? Thanks.
To make sure if the VPN tunnel is terminating on the ASA, you check the tunnel with the command:
sh cry isa sa
Thanks for your prompt response. You are too fast!!! I typed that command and got the response "There are no isakmp sas". Does it mean the VPN tunnel is terminated at the ASA?"
What are the reasons not to terminate the VPN tunnel at the ASA? Thanks.
Are the VPN sites pointing to the public IP belonging to the ASA?
If so, when they try to establish the tunnel (by sending traffic), the tunnel should come up and you should see the tunnel active with the command
''sh cry isa sa''
If there are no isakmp sas, there are two possibilities:
1. If the tunnel is up, it means the tunnels are terminating on another device (not the ASA). You will need to see if there's another VPN device.
2. The tunnel is not establishing at all.
I apologize for confusing you. Please ignore my previous question. I have not setup Site-to-Site VPN. I am running remote VPN client (IPSEC VPN client). What command can I use to see if the VPN tunnel is terminating at the ASA?
Thanks for your prompt response, again. I just logged in to VPN client. Then, I type "sh cry isa sa" at the ASA and the following is displayed.
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 184.108.40.206
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Does it mean the VPN tunnel is terminated at the ASA? What would I see if the VPN tunnel is not terminated at the ASA? Thanks.
This means the tunnel is in fact being terminated on the ASA.
If you want to check the traffic passing thru the ASA, you do ''sh cry ips sa''
You should see packets encap/decap
If the tunnel was not terminating on the ASA, you won't get any output on the ''sh cry isa sa''
Thank you very much for your prompt response and information. Yes, I do see traffic with the command "sh cry ips sa". Do most people setup to terminate at the ASA? Can you think of any reasons not to setup to terminate at the ASA?
The ASA is the recommended termination point for VPN connections.
The only reasons not to terminate the VPN on the ASA, is because you need the connection to terminate on a different IP on a different device for admin purposes for example or routing issues. It all depends on your topology. But in short, if you can terminate the VPNs on the ASA and access the resources via the ASA, there's no reason why not terminate the VPNs on the ASA.
Thanks very much for taking time to respond to my questions promptly, Federico. I greatly appreciate your assistance.