Solved: is it possible to this with remote-access vpn?

mizoran78 · ‎09-21-2011

Hi

I have access to my enterprise network through Cisco VPN (software) client and it goes through remote-access ipsec vpn setup on an ASA 5510. Everything works fine.

But now users that connect to the enterprise network have in addition need to access remote sites networks that are connected through the site-to-site VPN tunnels: IPSec tunnels between mentioned ASA5510 and remote ASA5510s and ASA5505s in branch offices.

Is it possible?

If yes what shoud I consider to make it work?

My setup looks like

enterprise network: 10.1.1.0/24

remote vpn clients get ip adresses from: 10.0.5.0/28

remote branch 1 network: 10.1.10.0/24

remote branch 2 network: 10.1.20.0/24

remote branch 3 network: 10.1.30.0/24

there is NAT exemption rule that exempts networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24

All traffic from local network 10.1.1.0/24 have full ip connectivity with all the networks in branch offices. The PROBLEM is that remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.

The ASAs in remote branch offices has set up NAT exemption towards both local network 10.1.1.0/24 and remote access clients network 10.0.5.0/28, but as I said, it doesn't go. Please help!

Thanks in advance!

Zoran

Jennifer Halim · ‎09-21-2011

Yes you can..

Let's take 1 remote branch network as an example: branch 1 network (10.1.10.0/24):

On Enterprise ASA:

- If you have split tunnel configured for the VPN Client, you would need to also add the remote branch network in the list (10.1.10.0/24).

- Crypto ACL between the Enterprise ASA and remote branch 1 ASA needs to have the following added:

access-list permit ip 10.0.5.0 255.255.255.240 10.1.10.0 255.255.255.0

- "same-security-traffic permit intra-interface" needs to be configured

On remote branch 1 ASA:

- Crypto ACL between remote branch 1 ASA and Enterprise ASA needs to have the following added:

access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240

- NAT exemption rule to exempt the traffic:

access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240

Clear the tunnels from both end, and test the connectivity.

Hope this helps.

View solution in original post

Jennifer Halim · ‎09-21-2011

Yes you can..

Let's take 1 remote branch network as an example: branch 1 network (10.1.10.0/24):

On Enterprise ASA:

- If you have split tunnel configured for the VPN Client, you would need to also add the remote branch network in the list (10.1.10.0/24).

- Crypto ACL between the Enterprise ASA and remote branch 1 ASA needs to have the following added:

access-list permit ip 10.0.5.0 255.255.255.240 10.1.10.0 255.255.255.0

- "same-security-traffic permit intra-interface" needs to be configured

On remote branch 1 ASA:

- Crypto ACL between remote branch 1 ASA and Enterprise ASA needs to have the following added:

access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240

- NAT exemption rule to exempt the traffic:

access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240

Clear the tunnels from both end, and test the connectivity.

Hope this helps.

mizoran78 · ‎09-21-2011

Thank you, Jennifer!

That's exactly what I wanted. I have just tested with one remote location and it works

BR

Zoran