Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2176
Views
5
Helpful
4
Replies

Accessing branch offices connected to main office via L2L VPN through RA VPN

Go to solution
joe
Level 1
Level 1

‎12-18-2012 12:43 PM

                   Hi All

I am trying to configure access to several remote offices for users who VPN into our main datacenter.  The datacenter has a 5520, and the branches are connected through IPSec L2L VPNs.  Branches all have 5505 or 5510's.  Remote users use IPSec via the Cisco remote Client.  Remote access into our data center works, and the L2L VPNs are perfect...just now that i need remote users to access the branches

after Remote access VPNing (for support) i cant get that part to work.

Any help would be appreciated!

Thank you

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-18-2012 11:18 PM

For vpn client to access the branch office subnet via the Main site ASA, you would need to configure the following:

1) If you have split tunnel, it needs to include the branch subnet in the split tunnel ACL.

2) Enable "same-security-traffic permit intra-interface" on the Main site ASA.

3) Configure the vpn client pool subnet in the lan-to-lan tunnel towards the branch.

On the Main site, crypto ACL to one of the branch should say:

permit ip

On the branch site, crypto ACL to the main site should say:

permit ip

4) On the branch site, should also include NAT exemption between the branch subnet towards the vpn pool subnet.

5) After all the above changes, you would need to clear the tunnel, so the ipsec lan-to-lan tunnel gets reestablish with the new subnet included.

Hope that helps.

View solution in original post

4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-18-2012 11:18 PM

For vpn client to access the branch office subnet via the Main site ASA, you would need to configure the following:

1) If you have split tunnel, it needs to include the branch subnet in the split tunnel ACL.

2) Enable "same-security-traffic permit intra-interface" on the Main site ASA.

3) Configure the vpn client pool subnet in the lan-to-lan tunnel towards the branch.

On the Main site, crypto ACL to one of the branch should say:

permit ip

On the branch site, crypto ACL to the main site should say:

permit ip

4) On the branch site, should also include NAT exemption between the branch subnet towards the vpn pool subnet.

5) After all the above changes, you would need to clear the tunnel, so the ipsec lan-to-lan tunnel gets reestablish with the new subnet included.

Hope that helps.

Go to solution
joe
Level 1
Level 1
In response to Jennifer Halim

‎12-19-2012 09:29 AM

Jennifer, thank you so very much for your complete, concise answer!  You made it easy, and i appreciate your prompt response!

Joe

0 Helpful

Go to solution
Iginsure2014
Level 1
Level 1
In response to Jennifer Halim

‎09-10-2014 07:04 AM

how I can do these process using ASDM

0 Helpful

Go to solution
Marko Krenker
Level 1
Level 1
In response to Jennifer Halim

‎02-05-2016 04:40 AM

"same-security-traffic permit intra-interface" did the job for me.

Thank you for helping out !

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents