01-19-2009 03:10 AM
I have configured site to site VPN connection between 2 of my offices and have customer VPN connection also from one of my office location.
Site A --> Site B --> Inter office VPN
Site B --> Customer Site --> VPN connection
I want to configure Site A to Customer site to connect to servers via Site B.
Site B to Customer site VPN connection I have configured only outbound connection & customer can not connect to our LAN i.e all our traffic goes with NAT address to connect to customer servers.
I have tried some configuration but I can not connect to customer servers from Site A.
I appreciate if any one helps in this issue.
Thanks,
Chandru
01-19-2009 05:54 AM
Do you have Cisco PIX, ASA or a IOS router?
With the PIX i don't think it's possible, it cannot route traffic that terminates on the same interface.
For the ASA i think it's possible, i actually logged in here to ask a similar question.
01-19-2009 11:23 PM
I have Cisco ASA and tried configuring but no luck
01-20-2009 11:07 PM
Have you tried this?
To permit communication between interfaces with equal security levels, or to allow traffic to enter and
exit the same interface, use the same-security-traffic command in global configuration mode. To
disable the same-security traffic, use the no form of this command.
All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall
rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse
the security appliance.
Examples The following example shows how to enable the same-security interface communication:
hostname(config)# same-security-traffic permit inter-interface
The following example shows how to enable traffic to enter and exit the same interface:
hostname(config)# same-security-traffic permit intra-interface
01-21-2009 01:24 AM
I have already tried this.
I opened a TAC case and solved the issue.
01-21-2009 04:58 AM
Ok! :)
01-21-2009 04:57 AM
This i my scenario but should match your environment pretty well.
192.168.40.0/24 = Main office (Site B)
192.168.50.0/24 = VPN Client Pool (Site A)
192.168.0.0/25 = External office (Site Customer)
Configured ipsec vpn client network (Site A) to external office that is a ipsec tunnel (Site Customer) terminating i network main office (Site B)
access-list acl_split_vpnclient standard permit 192.168.0.0 255.255.255.0
Configured to route traffic on same interface:
same-security-traffic permit intra-interface
Configured vpn client network (Site A) as a ipsec tunnel to (Site B):
access-list acl_vpn_malmo extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0
Configured no nat rule for vpn client :
access-list acl_nonat_inside extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0
Configured ipsec tunnel at external office (Site Customer) to main office for the vpn client network:
access-list acl_nonat_inside extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list acl_vpn_sthlm extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
C:\>ping 192.168.0.54
Skickar signaler till 192.168.0.54 med 32 byte data:
Svar från 192.168.0.54: byte=32 tid=22ms TTL=128
Svar från 192.168.0.54: byte=32 tid=21ms TTL=128
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide