05-01-2020 07:31 AM
Hey guys,
Very quick question that I suspect might have a very quick answer.
I've a Cisco ASA FW. I've Anyconnect Client VPN services configured. I also have S2S VPN services configured. If a user connecting through the client VPN wants to connect to infrastructure at the remote end of the S2S VPN will the necessary configurations upon "outside" and "inside" ACLs be sufficient (as well as necessary crypto ACL etc) to facilitate the connectivity or would the ASA also require configuring for hairpinning in / out of the same interface? Thanks. Matt
ciscoasa(config)#same-security-traffic permit intra-interface
05-01-2020 08:10 AM
Hi,
In addition to that command, you would need to ensure the traffic is exempt from NAT, RAVPN and L2L VPN traffic would be sourced from outside - you’d need a rule such as “nat (outside,outside) source static RAVPN RAVPN destination static REMOTE REMOTE”.
HTH
05-01-2020 09:27 AM
@Rob Ingram would it not be better to have
nat (outside,outside) source static RAVPN RAVPN destination static REMOTE REMOTE no-proxy-arp route-lookup
05-02-2020 11:21 AM
The ACLs on the outside and inside interface will are irrelevant with regard to this VPN traffic. By default the ASA ignors the outside interface ACLs unless you have changed this behavior. As for the inside interface ACLs the Remote Access Client traffic will never hit the inside interface so neither the egress or ingress ACLs will have any effect on the traffic going to the remote site to site VPN.
You must have the same-security-traffic permit intra-interface command to allow the VPN traffic to enter and leave the same interface.
In addition to this the Remote Access subnet will need to be added to the site to site VPN encryption domains at both ends of the site to site VPN and omitted from NAT (no-NAT / identity NAT) if requried.
It doesn't hurt to use the no-proxy-arp and route-lookup commands but they are not required in this situation.
05-05-2020 01:33 AM
Thank you guys, I really appreciate all of the responses.
Matt
05-13-2020 05:39 AM
If one of the posts was the correct answer or helped you find the correct answer, please select it as answered so we stop monitoring the post.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide