cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
0
Helpful
7
Replies

Remote Access VPN through a Tunnel

Hi Guys,

I have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.Any help will be greatly appreciated.

Thanks,

Lake

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Yes you can, here is all the config that you would need:

On ASA 5520:

1) Split tunnel ACL needs to include Site B LAN.

2) Configure: "same-security-traffic permit intra-interface"

3) Crypto ACL for the site-to-site VPN should include:

access-list permit ip

On PIX501:

1) Crypto ACL for the site-to-site VPN should include:

access-list permit ip

2) NAT exemption ACL should include:

access-list permit ip    

Hope this helps.

View solution in original post

If you require access from Site C to Site D and vice versa, and with the current deployment of Site A being the HUB, here is what is required:

Site A:

- Crypto ACL towards Site C should include:

access-list permit ip

- Crypto ACL towards Site D should include:

access-list permit ip

Site C:

- Crypto ACL towards Site A should include:

access-list permit ip

Site D:

- Crypto ACL towards Site A should include:

access-list permit ip

Hope this helps.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

Yes you can, here is all the config that you would need:

On ASA 5520:

1) Split tunnel ACL needs to include Site B LAN.

2) Configure: "same-security-traffic permit intra-interface"

3) Crypto ACL for the site-to-site VPN should include:

access-list permit ip

On PIX501:

1) Crypto ACL for the site-to-site VPN should include:

access-list permit ip

2) NAT exemption ACL should include:

access-list permit ip    

Hope this helps.

Hi Jennifer,

I will try that.

Thanks,

Lake

Hi Jennifer,

It worked like a charm.

Thank you very much.

Regards,

Lake

Excellent, thanks for the update and ratings.

Hi Guys,

I know this problem has been solved but i really need some help with a similar setup but still different and i am not sure if i should start another discussion?

It is now understood that SiteA and SiteB has a tunnel which is working fine. SiteA is the hub for all the remote locations. Also, SiteC and SiteD is connected to SiteA via tunnel which is working fine. Now i need SiteC to connect to a server in SiteD? I think it would be easier for SiteC to go through SiteA in order to get to SiteD so users from SiteC can have one connection and choose to connect to a server in SiteA or SiteD?

Should i just create the above access list in SiteC and SiteD because SiteA configuration should be fine? If not please advise?

Thanks,

Lake

If you require access from Site C to Site D and vice versa, and with the current deployment of Site A being the HUB, here is what is required:

Site A:

- Crypto ACL towards Site C should include:

access-list permit ip

- Crypto ACL towards Site D should include:

access-list permit ip

Site C:

- Crypto ACL towards Site A should include:

access-list permit ip

Site D:

- Crypto ACL towards Site A should include:

access-list permit ip

Hope this helps.

Thank you very much Jennifer.

Regards,

Lake

Review Cisco Networking for a $25 gift card