06-04-2013 01:31 AM
Hello all,
I have two ASA5505 with a site to site VPN.
One of the ASA is connected to the internal network 192.168.150.0.
The other one is connected to 192.168.151.0.
I have also configured IPSec Cisco client VPN to the one which is plugged to 192.168.150.0.
I would like to know if it is possible for a client connected with the Cisco VPN to access the network 192.168.151.0 through the site to site VPN.
Thanks!
Solved! Go to Solution.
06-04-2013 02:50 AM
Hi,
If you mean that the VPN Pool IP addresses are something like 192.168.150.x then I would suggest using some totally different network than the ones used on the LAN networks.
The software level 9.1 basically causes changes to how the NAT0 configurations are done.
MAIN SITE
object network VPN-POOL
subnet x.x.x.x y.y.y.y
object network REMOTE-LAN
subnet 192.168.151.0 255.255.255.0
nat (outside,outside) source static VPN-POOL VPN-POOL destination static REMOTE-LAN REMOTE-LAN
REMOTE SITE
object network VPN-POOL
subnet x.x.x.x y.y.y.y
object network LAN
subnet 192.168.151.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
Otherwise I would imagine that the same kind of configurations as above apply. You need the "same-security-traffic" command to enable the "outside" to "outside" traffic. You will have to make sure that the Split Tunnel ACL contains the remote site network. And naturally you will have to make sure that the crypto ACLs define/include the traffic between VPN Pool and the 192.168.151.0/24 network on both sides ASAs.
- Jouni
06-04-2013 02:00 AM
Hi,
There should be no problem with this setup.
Naturally it would be easier to tell what you specifically require to make this happens.
Below I will presume that you are using ASA software 8.2 or below and you have "inside" and "outside" interfaces on the ASAs.
MAIN SITE
First you will need to determine how your VPN Client connection is configured. Are you using Full Tunnel or Split Tunnel. If you are using Full Tunnel then no changes related to the Client VPN is needed. If you are using Split Tunnel then you will need to add the remote site network to the Split Tunnel ACL.
Next you will have to make sure you have the following configuration
same-security-traffic permit intra-interface
On the site with the VPN Client connection. This configuration will allow the VPN Client connection coming from the "outside" interface to head back out to the "outside" interface where the remote site is located (Through the L2L VPN ofcourse)
Next you will have to make a NAT0 rule that is configured on your "outside" interface at the VPN Client site
access-list OUTSIDE-NAT0 remark NAT0 for VPN Client to Remote Site
access-list OUTSIDE-NAT0 permit ip
nat (outside) 0 access-list OUTSIDE-NAT0
Next you will naturally need to make sure that the existing L2L VPN can accomodate the VPN Client traffic. So what you will need is to configure additions to the existing crypto ACL on the VPN Client site (I presume a ACL name)
access-list L2LVPN permit ip
REMOTE SITE
And finally on the remote site you will have to both configure NAT0 and the Crypto ACL to include the VPN Client pool network (again presuming ACL names which are most likely different in your case)
access-list INSIDE-NAT0 remark NAT0 for local LAN to remote site VPN Pool
access-list INSIDE-NAT0 permit ip 192.168.151.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
You will ofcourse just need to add the NAT0 ACL rule to your already exiting NAT0 configuration ACL that is used for the L2L VPN currently.
Same thing with the L2L VPN ACL. You add an ACL rule to the existing ACL
access-list L2LVPN permit ip 192.168.151.0 255.255.255.0
And that should be about it.
Please remember to mark the reply as the correct answer if it answered your question. Or ask more if this didnt yet answer your question.
Hope this helps
- Jouni
06-04-2013 02:42 AM
Dear Jouni,
Thanks for your fast response . I use ASA 9.x on both ASA.
On the main site, VPN connection is configured with split tunnel.
Also, the VPN pool is in the range of the subnet, does it cause a problem?
Yes, my interfaces are named inside and outside.
David.
06-04-2013 02:50 AM
Hi,
If you mean that the VPN Pool IP addresses are something like 192.168.150.x then I would suggest using some totally different network than the ones used on the LAN networks.
The software level 9.1 basically causes changes to how the NAT0 configurations are done.
MAIN SITE
object network VPN-POOL
subnet x.x.x.x y.y.y.y
object network REMOTE-LAN
subnet 192.168.151.0 255.255.255.0
nat (outside,outside) source static VPN-POOL VPN-POOL destination static REMOTE-LAN REMOTE-LAN
REMOTE SITE
object network VPN-POOL
subnet x.x.x.x y.y.y.y
object network LAN
subnet 192.168.151.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
Otherwise I would imagine that the same kind of configurations as above apply. You need the "same-security-traffic" command to enable the "outside" to "outside" traffic. You will have to make sure that the Split Tunnel ACL contains the remote site network. And naturally you will have to make sure that the crypto ACLs define/include the traffic between VPN Pool and the 192.168.151.0/24 network on both sides ASAs.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide