[c-nsp] asa 5510, remote access vpn, resources across lan-to-lan

Steve Housego Steve.Housego at itps.co.uk
Mon Sep 1 17:41:53 EDT 2014

You will need to add the source/dest networks in the crypto maps,
configure your split tunnelling (if your not tunnelling all networks),
configure your nat exempt (outside,outside), and as john has mentioned
same-security-traffic permit intra-interface.

You may need to put in an ACL as well if your not bypassing interface
ACL¹s in your VPN config.


-----Original Message-----
From: John Kougoulos <john.kougoulos at gmail.com>
Date: Monday, 1 September 2014 16:24
To: ryanL <ryan.landry at gmail.com>
Cc: "cisco-nsp at puck.nether.net NSP" <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] asa 5510, remote access vpn, resources across
Resent-From: Steve Housego <Steve.Housego at it-ps.com>

>it could be nat but this depends on your routing config. It could also be
>that this command is required:
>same-security-traffic permit intra-interface
>On Mon, Sep 1, 2014 at 4:57 PM, ryanL <ryan.landry at gmail.com> wrote:
>> hi,
>> i'm hopefully going to find someone who's done this before, or who has
>> better google-fu than me. asa is not my strong suit.
>> i have users vpn'ing (ipsec) into one 5510, accessing various corp
>> resources there. the vpn pool isn't routed - i just nat it to one of the
>> various inside interfaces depending on which vlan they're trying to hit.
>> works fine.
>> that particular 5510 has a l-2-l ipsec to a different 5510, which also
>> its own inside resources. if i vpn into it directly, i can hit those
>> resources no problem.
>> the question is - how do i get the vpn users hitting the first 5510 to
>> reach the resources behind the second 5510?
>> i know i'm close, as i'm at least triggering the l-2-l tunnel to be
>> when vpn'd into the first 5510 and trying to reach the second 5510's
>> resources. i'm just missing some nat, or something...
>> appreciated.
>> ryan
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/


"Helping Your ICT Budget Deliver to its Maximum Potential"

Steve Housego
Principal Consultant

IT Professional Services
Axwell House
Waterside Drive
Metrocentre East Business Park
Tyne & Wear NE11 9HU

T. 0191 442 8300
F. 0191 442 8301

Steve.Housego at itps.co.uk<mailto:Steve.Housego at itps.co.uk>

Check out our new website at www.it-ps.com <http://www.it-ps.com/> and see how we can help your IT budget deliver more for less.

[http://itpswebhost01.it-ps.com/customer_images/itps/twitter]<http://twitter.com/#!/itpsltd>  [http://itpswebhost01.it-ps.com/customer_images/itps/facebook] <http://www.facebook.com/pages/ITPS/180607505381380>   [http://itpswebhost01.it-ps.com/customer_images/itps/linkedin] <http://uk.linkedin.com/in/itpsltd>

Company No. 3930001<tel:3930001> registered in England
VAT No. 734 1935 33<tel:734%201935%2033>

More information about the cisco-nsp mailing list