I have two sites lets call it main and dr connected via ipsec site to site vpn from cisco asa to cisco asa at both the ends. I also have Remote access vpn on both the ends to the main site as well as on the dr site.
Now the question is if i connect to the ra vpn to the dr site can i pass the traffic from the ra subnet through the ipsec site to site to the main site so from the ra vpn connected pc i can directly access the servers in the main site also. the ra subnet traffic can it be included in the crypto access-list in the site to site .
This is a common implementation and described in numerous articles - it is often referred to as "hairpinning" or "U-Turn" as the traffic from RA VPN comes in via outside interface and then back out same interface to the peer site.
Three things are generally required:
1. the appropriate access-list entries (referenced by the crypto map associated with the tunnel)
2. NAT exemption for the RA subnet traffic headed to the peer site
3. permitting traffic via same-security-interface.
(You'll generally get better visibility for this sort of question on the VPN forum. You can recategorize your original post via the widget in the top right.)
so from the core sw on the main site i just route the ra vpn subnet to the asa which is terminating the vpn on main site and add it to the crpyot acls and nat exeption acls so the traffic to the ra subnet reaches the other asa on the other end of the ipsec tunnel and the asa on other end will it route the traffic automatically to the ra subnet from the firewall ?