Connect to a Computer at Site B when I'm VPNed into Site A

milkboy33 · ‎09-01-2013

Hello Community

Is there a way to configure two ASAs Site A and Site B which have a site to site VPN configured.. where if a person is VPNed into either Site A or B, that person is able to connect to *all servers in either site A or B?

Thanks,

Tom

Karsten Iwen · ‎09-01-2013

Yes, that will work. You just have to make sure that "same-securit-traffic permit intra-interface" is set and that your crypto-definition includes all needed networks. So if you have network a.a.a.0 in site-A and b.b.b.0 in site-B and your VPN-pool in site-B is d.d.d.0, then your crypto-ACLs habve to be the following:

Site-A: permit a.a.a.0 to b.b.b.0 and permit a.a.a.0 to d.d.d.0
Site-B: permit b.b.b.0 to a.a.a.0 and permit d.d.d.0 to a.a.a.0

The split-tunnel-acl in site B has to include both networks b.b.b.0 and a.a.a.0.

Sent from Cisco Technical Support iPad App

milkboy33 · ‎09-02-2013

Hi Karsten,

Thanks for the response. You are correct, but there's one thing missing. (I had TAC help us). A NAT rule needs to be put in place from Outside to Outside on both sides of the firewall that define the interesting traffic (meaning the subnet of the remote VPN pool of IPs and the remote sites internal subnet). After we did that everything worked perfectly.

-Tom