Re: connectivity between VPN sites

marshall.blanco · ‎08-10-2009

i have two 5505 ASAs connecting back to a central 5520 ASA via the easy vpn remote option. Each of the 5505s are on their own networks. How do i get network connectivity between the two remote sites? Thanks in advance.

JORGE RODRIGUEZ · ‎08-10-2009

hi,

you can accomplish connectivity to both remote sites via the central 5520 asa simply by tailoring your nonat exempt rules pertaining to your l2l asa tunnels at both spokes asa's and add same-security-traffic permit intra-interface at central asa 5520.

here is an example that depics your scenario.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

You may also reference this tread

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

Regards

Jorge Rodriguez

marshall.blanco · ‎08-12-2009

does this also apply to remote access vpn tunnels vs a l2l (site-to-site)tunnel? The remote site's public address is dynamically assigned...

JORGE RODRIGUEZ · ‎08-12-2009

Yes it does also applies to remote access VPN tunnels..

you should note,however, if a spoke site is dynamic towards the HUB asa5520 obiously that dynamic spoke must bring the tunnel up first in order for other spokes to have access among themselves via HUB including the dynamically public address assigned spoke.

Regards

Jorge Rodriguez