cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4776
Views
0
Helpful
3
Replies

Cisco VPN client + site to site VPN

David Sanjuan
Level 1
Level 1

Hello all,

I have two ASA5505 with a site to site VPN.

One of the ASA is connected to the internal network 192.168.150.0.

The other one is connected to 192.168.151.0.

I have also configured IPSec Cisco client VPN to the one which is plugged to 192.168.150.0.

I would like to know if it is possible for a client connected with the Cisco VPN to access the network 192.168.151.0 through the site to site VPN.

Thanks!

1 Accepted Solution

Accepted Solutions

Hi,

If you mean that the VPN Pool IP addresses are something like 192.168.150.x then I would suggest using some totally different network than the ones used on the LAN networks.

The software level 9.1 basically causes changes to how the NAT0 configurations are done.

MAIN SITE

object network VPN-POOL

subnet x.x.x.x y.y.y.y

object network REMOTE-LAN

subnet 192.168.151.0 255.255.255.0

nat (outside,outside) source static VPN-POOL VPN-POOL destination static REMOTE-LAN REMOTE-LAN

REMOTE SITE

object network VPN-POOL

subnet x.x.x.x y.y.y.y

object network LAN

subnet 192.168.151.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

Otherwise I would imagine that the same kind of configurations as above apply. You need the "same-security-traffic" command to enable the "outside" to "outside" traffic. You will have to make sure that the Split Tunnel ACL contains the remote site network. And naturally you will have to make sure that the crypto ACLs define/include the traffic between VPN Pool and the 192.168.151.0/24 network on both sides ASAs.

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

There should be no problem with this setup.

Naturally it would be easier to tell what you specifically require to make this happens.

Below I will presume that you are using ASA software 8.2 or below and you have "inside" and "outside" interfaces on the ASAs.

MAIN SITE

First you will need to determine how your VPN Client connection is configured. Are you using Full Tunnel or Split Tunnel. If you are using Full Tunnel then no changes related to the Client VPN is needed. If you are using Split Tunnel then you will need to add the remote site network to the Split Tunnel ACL.

Next you will have to make sure you have the following configuration

same-security-traffic permit intra-interface

On the site with the VPN Client connection. This configuration will allow the VPN Client connection coming from the "outside" interface to head back out to the "outside" interface where the remote site is located (Through the L2L VPN ofcourse)

Next you will have to make a NAT0 rule that is configured on your "outside" interface at the VPN Client site

access-list OUTSIDE-NAT0 remark NAT0 for VPN Client to Remote Site

access-list OUTSIDE-NAT0 permit ip 192.168.151.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

Next you will naturally need to make sure that the existing L2L VPN can accomodate the VPN Client traffic. So what you will need is to configure additions to the existing crypto ACL on the VPN Client site (I presume a ACL name)

access-list L2LVPN permit ip 192.168.151.0 255.255.255.0

REMOTE SITE

And finally on the remote site you will have to both configure NAT0 and the Crypto ACL to include the VPN Client pool network (again presuming ACL names which are most likely different in your case)

access-list INSIDE-NAT0 remark NAT0 for local LAN to remote site VPN Pool

access-list INSIDE-NAT0 permit ip 192.168.151.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

You will ofcourse just need to add the NAT0 ACL rule to your already exiting NAT0 configuration ACL that is used for the L2L VPN currently.

Same thing with the L2L VPN ACL. You add an ACL rule to the existing ACL

access-list L2LVPN permit ip 192.168.151.0 255.255.255.0

And that should be about it.

Please remember to mark the reply as the correct answer if it answered your question. Or ask more if this didnt yet answer your question.

Hope this helps

- Jouni

Dear Jouni,

Thanks for your fast response . I use ASA 9.x on both ASA.

On the main site, VPN connection is configured with split tunnel.

Also, the VPN pool is in the range of the subnet, does it cause a problem?

Yes, my interfaces are named inside and outside.

David.

Hi,

If you mean that the VPN Pool IP addresses are something like 192.168.150.x then I would suggest using some totally different network than the ones used on the LAN networks.

The software level 9.1 basically causes changes to how the NAT0 configurations are done.

MAIN SITE

object network VPN-POOL

subnet x.x.x.x y.y.y.y

object network REMOTE-LAN

subnet 192.168.151.0 255.255.255.0

nat (outside,outside) source static VPN-POOL VPN-POOL destination static REMOTE-LAN REMOTE-LAN

REMOTE SITE

object network VPN-POOL

subnet x.x.x.x y.y.y.y

object network LAN

subnet 192.168.151.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

Otherwise I would imagine that the same kind of configurations as above apply. You need the "same-security-traffic" command to enable the "outside" to "outside" traffic. You will have to make sure that the Split Tunnel ACL contains the remote site network. And naturally you will have to make sure that the crypto ACLs define/include the traffic between VPN Pool and the 192.168.151.0/24 network on both sides ASAs.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: