VPN Client + Site-to-Site VPN

Jorge Riaza · ‎08-24-2016

Hello all,

I have one ASA5510 with a site to site VPN connected to a Branch Office with an ASA 5505

One of the ASA is connected to the internal network 172.16.0.0 ( main office with the ASA 5510 ), and a VPN Pool ( "remote_VPN_Users" address-pool with 192.168.15.0). The group-policy applied it's called Remote-users.

The other one is connected to 10.3.0.0

I would like to know if it is possible for a client connected with the VPN Client to access the network 10.3.0.0 ( remote site ) through the site to site VPN. And how i can accomplish by GUI, i'm not good with CLI...

Thanks in advance!

P.S: On MainOffice ASA version: 8.2 and Branch Office 8.4

pjain2 · ‎08-24-2016

Hi Jorge,

yes this can be achieved and this is called u-turning.

you need the below config for this:

1. make sure you have 10.3.0.0 in the split-tunneling acl

2. you need to have traffic from 192.168.15.0/24 to 10.3.0.0/16 in the crypto acl on both the ASA's.

3. you need nat exemption on main office from outside to outside for the anyconnect pool to the remote subnet

for eg nat (outside) 0 access-list nonat

access-list nonat perm ip 192.168.15.0 255.255.255.0 10.3.0.0 255.255.0.0

4. on the branch office, you need nat exemption for the traffic from 10.3.0.0/16 to 192.168.15.0/24