05-27-2011 12:09 PM
Trying to simulate our recovery setup in the lab. I have 2 ASA 5520's that have a site - site tunnel between them.
That is working fine
But I also have a requirement for remote access into one of the ASA's, which once connected needs to route across
the site - site tunnel to another server on the other side.
So far the remote access piece connects fine, I can access all locally connected networks but I can seem to get the traffic
to route across the site - site tunnel to the other side.
Is this doable ? If so if there are any suggestions that would be appreciated.
Cheers
Dave
Solved! Go to Solution.
05-27-2011 12:59 PM
The command is not applied to a specific interface.
The command enables the functionality on the ASA to receive traffic from the VPN clients on the outside interface and send it out via the same outside interface through the L2L tunnel (and vice versa).
Federico.
05-27-2011 12:32 PM
Hi Dave,
You can do it.
You need to enable ''same-security-traffic permit intra-interface'' to allow u-turn (out the same interface).
Also, include in the ACL for the L2L tunnel, the VPN client pool, and add to the ACL of the split-tunneling (for the clients), the remote L2L network.
In this way, the VPN clients can connect and can also reach the far side through the L2L tunnel.
You might need to look that is either not configured for this traffic or configured correctly.
Hope it helps.
Federico.
05-27-2011 12:52 PM
Appreciate the reply...Just so we are clear....
My inside network on the ASA#1 is 172.31.96.0 /19, my inside network on ASA #2 is 192.168.11.0 /24
My vpn client connects to ASA#1 and uses the VPN Pool 192.168.14.10 - .20
Site to Site is up between ASA #1 and #2, connectivity from 172.31.96.0 to 192.168.11.0 is good.
If my vpn client is connecting into ASA#1 and receives an ip of 192.168.14.10, which interface on ASA#1 would I apply
the ''same-security-traffic permit intra-interface'' to ?? The inside interface ??
Cheers
dave
05-27-2011 12:59 PM
The command is not applied to a specific interface.
The command enables the functionality on the ASA to receive traffic from the VPN clients on the outside interface and send it out via the same outside interface through the L2L tunnel (and vice versa).
Federico.
05-27-2011 01:00 PM
Yes sir that was it !!! Thanks for the help.
Cheers
dave
05-27-2011 01:01 PM
Glad I could help ;-)
Thank you.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide