Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Site-Site issue

Hi,

I'm had 2 site-site vpn connection to my ASA 5510 version 8.0(4).

However now i wish to have connectivity between both remote sites.

How can i proceed with it?

4 REPLIES
New Member

Re: VPN Site-Site issue

You need to configure the following command.

same-security-traffic permit intra-interface

This will allow communications between your VPNs - however you will need to ammend any VPN ACLs (used in crypto map) to permit traffic between the respective peer networks.

Alex

Cisco Employee

Re: VPN Site-Site issue

Lets say you have router A, B, and C. You already have a tunnel between A<=>B and a tunnel between A<=>C. You now want traffic between B<=>C. You can either....

1. Send the traffic between B and C through A. This would mean adding "same-security-traffic permit intra-interface" on A so that the traffic that comes in the outside interface of A can also leave out the outside interface of A since it will need to be redirected. And you should adjust the crypto maps on all 3 devices:

-On A, permit B-->C and C-->B

-On B, permit B-->C

-On C, permit C-->B

or

2. Just define the crypto on B and C (and don't send it through A)

-On B, permit B-->C

-On C, permit C-->B

-heather

New Member

Re: VPN Site-Site issue

Thanks for the reply.

However, after adding those and try to re- established vpn link it still doesn't work.

Do you know if there's anything else i missed out?

1) A (ASA) - added the crypto to allow B -> C and C->B  and same-security-traffic permit intra-interface command

2) On the router of B - added additional access-list of C network

3) On the router of C - added additional access-list of B network

New Member

Re: VPN Site-Site issue

Without seeing your configuration it is difficult to work out the issue - if you use NAT/PAT on your B and C firewalls - then you may need to update nat-exemption policies for the relevant networks.  If you still need further help - can you cut and paste the relevant parts of your configuration - specifically the crypto maps, NAT policies and associated ACLs for each firewall

429
Views
0
Helpful
4
Replies
CreatePlease to create content