03-11-2010 12:10 PM - edited 02-21-2020 04:32 PM
I am creating a VPN network of 7 ASA5505 s. One device is the central or hub device.( Attachmnent Main5505)
All ASA5505 devices running ver 7.2(4)
there will be site to site tunnels to 6 other 5505 s across the internet.
Currently there are 4 of the 6 tunnels migrated over and working fine in this basic scenerio.
The local networks for the main 5505 are:
10.64.50.0 /24 and
10.64.51.0 /24
I have included the config of one of the remote ASA5505. (Remote5505)
This remote site has internal networks:
172.16.76.0 /24
172.16.77.0 /24
172.16.78.0 /24
172.16.79.0 /24
Currently traffic can be passed between 10.64.50 and 10.64.51 nets to the remote 172.16.76 - 79 nets across the site to site IPSec tunnel. No issues there.
I have also created a RA VPN access in the same main 5505.
RA VPN users get addressed as 10.64.53.X /24
I get connected to RA VPN and get the 10.64.53.X address. I can also see and get to other 10.64.50 and 10.64.51 devices that reside at the main site. local networks of the ASA that the ra vpn net resides on are ok.
My main issue is getting the RA vpn net of 10.64.53.0 /24 (that is defined locally on the 5505) to route across the site to site tunnels in the same way that 10.64.50 and 10.64.51 do.
I cannot get from 10.64.53.X net to 172.16.76.X net, when 10.64.50 and 10.64.51 are ok. Since 10.64.53 RA net resides on the ASA it should not have to go anywhere else but the ASA itself to route across the tunnels. essentialy it needs to route back out the interface it came in on. Is this possible, if so what statements are needed.
both configs are included. the main site gets very long but most is just cookie cutter statements for all 6 remotes sites.
Can anyone offer any suggestions. When looking at the main vpn system options in the gui. I have the check box checked for : Enable inbound IPSec sessions to bypass internal acls.
Thanks
03-11-2010 04:34 PM
I just added the:
same-security-traffic permit intra-interface
but still no go. I thought for sure that is what I needed. what else is needed to route your ra vpn in on your outside int and then go back through outside int to get to site to site tunnels
03-11-2010 07:12 PM
Well, despite the hack job that the ASDM does to a VPN config, the hairpinning looks to be correct from what I can see.
However, on the remote ASA I did notice that the RA network was not defined within the 'inside_access_in' ACL. I only saw these two lines:
access-list inside_access_in extended permit ip any 10.64.50.0 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: