cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
535
Views
0
Helpful
3
Replies

Cisco ASA Remote VPN to other outside interface

rickyief16
Level 1
Level 1

Hi I'm setting up a VPN access through an ASA Firewall and I have some problems understanding how to configure it correctly for my scenario.

 

The scenario is as follows: Office LAN on the inside interface, VPN access through internet interface and another interface for an inter-company Lan 2 Lan connections which is considered as another outside interface.

 

The idea is that remote users can connect from internet to office LAN and also to the inter-company Lan2Lan connection. I have succesfully configured and IPSEC VPN which works well for the Office LAN but the traffic cannot jump to the other outside interface to connect to the other company LAN. 

 

I have attached a JPG with the scenario.

 

Could you help me to make the traffic through the other outside interface too?

 

Thanks

 

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

You have at least two distinct bits that need to be addressed to make what you laid out work properly. First is the routing via the second interface. An ASA does not support policy-based routing so both you and your peer would need static routes to reach each other's public IP via the second interface.

Once you successfully create a VPN and get local traffic destined for your peer's allowed network(s) to flow you need to take care of your remote access VPN users. There are several Cisco and external resources who've documented how to do this in detail. The key work used is "U-turn" or "hairpin", describing the traffic flow for most scenarios using a single outside interface - yours is a bit complicated since you want to use two interfaces. (One would be an easier road to travel if that's an option for you.)

See these links for a couple of examples:

Cisco TAC note

Packet Pushers blog entry

 

Hi Marvin thanks for your input,

 

Reading about the hairpin , I was able to successfully configure, in a GNS3 environment, a similar topology as the production one, and with the combination of the command same-security-traffic permit inter-interface, an ACL to permit traffic incoming from LAN2LAN network and routing the different LAN2LAN segments through the tunnel with the command split-tunnel-network-list value "ACL", I can have access to both the Office LAN and the other company LAN through the VPN.

 

Now in GNS3 works great but having more or less the same configuration on production environment doesn't work. I'm thinking that may be related with the version we are running, on GNS3 I have 8.4(2) and on production I have 9.1(5). am I missing something?

 

Thanks again

8.4(2) vs. 9.1(5) shouldn't make a difference for the purposes of this question.

Is your GNS3 simulation using two separate outside interfaces?