ASA soft VPN and Hardware VPN

Patrick Belanger · ‎12-01-2010

Hi,

We have several conection trought Cisco soft VPN client and hardware VPN witch Cisco ASA 5505. Our Main VPN Is an ASA 5520 with the same public interface for soft and hardware VPN. All VPN conection is trought this equiment I mean soft and hardware with little ASA 5505.

My question is, why soft vpn ip network 10.12.2.0/24 can't talk to network 10.80.0.0/16 for our hardware vpn. Is not an ip route because ASA 5520 is used for built all this VPN but is maybe a ACL or someting like that.

Thanks you for your help.

Federico Coto Fajardo · ‎12-01-2010

Hi,

To allow traffic from one VPN to communicate across another VPN you need to allow u-turn.

same-security-traffic permit intra-interface

Without the above command, the ASA will not reroute traffic backout the same interface in which it receive it (in this case the outside interface).

Federico.

Patrick Belanger · ‎12-01-2010

Hi Federico,

Do you know if enter this command will drop all VPN conection?

Thanks

Patrick Belanger · ‎12-01-2010

Federico,

I check with CLI to my ASA and I saw the command same-security-traffic permit intra-interface.

I maybe an ACL I will need to add?

Thanks

Federico Coto Fajardo · ‎12-02-2010

Besides allowing u-turn you need to include the interesting traffic correctly.

ie.

You have:

Central site, Site A, Site B

To allow Site A to talk to Site B through the tunnel to Central Site, you need to include Site A LAN in the tunnel to Site B and vice versa.

Federico.