how to pass ra vpn subnet traffic through an ipsec tunnel

manekdamu · ‎06-22-2014

Dear geeks,

I have two sites lets call it main and dr connected via ipsec site to site vpn from cisco asa to cisco asa at both the ends. I also have Remote access vpn on both the ends to the main site as well as on the dr site.

Now the question is if i connect to the ra vpn to the dr site can i pass the traffic from the ra subnet through the ipsec site to site to the main site so from the ra vpn connected pc i can directly access the servers in the main site also. the ra subnet traffic can it be included in the crypto access-list in the site to site .

is there any drawbacks for this ..

please do let me know if you need more details.

thanks

Manek

Marvin Rhoads · ‎06-22-2014

This is a common implementation and described in numerous articles - it is often referred to as "hairpinning" or "U-Turn" as the traffic from RA VPN comes in via outside interface and then back out same interface to the peer site.

Three things are generally required:

1. the appropriate access-list entries (referenced by the crypto map associated with the tunnel)

2. NAT exemption for the RA subnet traffic headed to the peer site

3. permitting traffic via same-security-interface.

(You'll generally get better visibility for this sort of question on the VPN forum. You can recategorize your original post via the widget in the top right.)