Re: L2L to allow all inside hosts to access remote hosted applic

drakow · ‎10-21-2009

We have outsourced our HR application to the vendor to host at their data center. Configuring the tunnel and restricting access is not a problem. What is the best way to allow over 1,500 internal hosts on over 100 different subnets through the VPN tunnel to the remote site using an ASA running v8.2 without adding to many lines to and already large configuration?

Jon Marshall · ‎10-21-2009

David

There's no easy answer to this. Are your 100 subnets summarisable to any extent. If so you could certainly cut the config down by summarising.

Alternatively you could use permit ip any

in your crypto acl but that may be too open for you. Remember that you can use "permit ip any

in your crypto acl and then lock down access via an acl on the inside interface but again without summarisable subnets that won't really help that much.

Jon

drakow · ‎10-21-2009

I can summerize my internal hosts as 10.0.0.0/8 but the destination is 10.200.14.240/28. Because their network overlaps I was thinking I could use PAT or NAT for my inside address with a config something like the following:

access-list Lawson_ACL extended permit ip any 10.200.14.240 255.255.255.240 !!remote hosting network

access-list NoNAT extended permit ip any 10.200.14.240 255.255.255.240

I'm just not sure how to do the NAT/PAT part as I am used to the VPN3080 GUI. I do not like ADSM except for monitoring and I am used to the PIX 6.3 CLI but never had a config like this.

drakow · ‎10-21-2009

I can summerize using 10.0.0.0/9 and encompass all my internal IPs without overlapping their's.

L2L to allow all inside hosts to access remote hosted application.