12-18-2012 12:43 PM
Hi All
I am trying to configure access to several remote offices for users who VPN into our main datacenter. The datacenter has a 5520, and the branches are connected through IPSec L2L VPNs. Branches all have 5505 or 5510's. Remote users use IPSec via the Cisco remote Client. Remote access into our data center works, and the L2L VPNs are perfect...just now that i need remote users to access the branches
after Remote access VPNing (for support) i cant get that part to work.
Any help would be appreciated!
Thank you
Solved! Go to Solution.
12-18-2012 11:18 PM
For vpn client to access the branch office subnet via the Main site ASA, you would need to configure the following:
1) If you have split tunnel, it needs to include the branch subnet in the split tunnel ACL.
2) Enable "same-security-traffic permit intra-interface" on the Main site ASA.
3) Configure the vpn client pool subnet in the lan-to-lan tunnel towards the branch.
On the Main site, crypto ACL to one of the branch should say:
permit ip
On the branch site, crypto ACL to the main site should say:
permit ip
4) On the branch site, should also include NAT exemption between the branch subnet towards the vpn pool subnet.
5) After all the above changes, you would need to clear the tunnel, so the ipsec lan-to-lan tunnel gets reestablish with the new subnet included.
Hope that helps.
12-18-2012 11:18 PM
For vpn client to access the branch office subnet via the Main site ASA, you would need to configure the following:
1) If you have split tunnel, it needs to include the branch subnet in the split tunnel ACL.
2) Enable "same-security-traffic permit intra-interface" on the Main site ASA.
3) Configure the vpn client pool subnet in the lan-to-lan tunnel towards the branch.
On the Main site, crypto ACL to one of the branch should say:
permit ip
On the branch site, crypto ACL to the main site should say:
permit ip
4) On the branch site, should also include NAT exemption between the branch subnet towards the vpn pool subnet.
5) After all the above changes, you would need to clear the tunnel, so the ipsec lan-to-lan tunnel gets reestablish with the new subnet included.
Hope that helps.
12-19-2012 09:29 AM
Jennifer, thank you so very much for your complete, concise answer! You made it easy, and i appreciate your prompt response!
Joe
09-10-2014 07:04 AM
how I can do these process using ASDM
02-05-2016 04:40 AM
"same-security-traffic permit intra-interface" did the job for me.
Thank you for helping out !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide