[c-nsp] asa 5510, remote access vpn, resources across lan-to-lan

Rimestad, Steinar Steinar.Rimestad at altibox.no
Tue Sep 2 10:51:58 EDT 2014

You need to do NAT hairpinning with NAT(outside,outside) statement for
your remote access users to bounce back over the L2L VPN.

Depending on your ASA version (pre or post 8.3 with the different NAT
engines) I think you can use the following guides:




On 01/09/14 23:41, "Steve Housego" <Steve.Housego at itps.co.uk> wrote:

>You will need to add the source/dest networks in the crypto maps,
>configure your split tunnelling (if your not tunnelling all networks),
>configure your nat exempt (outside,outside), and as john has mentioned
>same-security-traffic permit intra-interface.
>You may need to put in an ACL as well if your not bypassing interface
>ACL¹s in your VPN config.
>-----Original Message-----
>From: John Kougoulos <john.kougoulos at gmail.com>
>Date: Monday, 1 September 2014 16:24
>To: ryanL <ryan.landry at gmail.com>
>Cc: "cisco-nsp at puck.nether.net NSP" <cisco-nsp at puck.nether.net>
>Subject: Re: [c-nsp] asa 5510, remote access vpn, resources across
>Resent-From: Steve Housego <Steve.Housego at it-ps.com>
>>it could be nat but this depends on your routing config. It could also be
>>that this command is required:
>>same-security-traffic permit intra-interface
>>On Mon, Sep 1, 2014 at 4:57 PM, ryanL <ryan.landry at gmail.com> wrote:
>>> hi,
>>> i'm hopefully going to find someone who's done this before, or who has
>>> better google-fu than me. asa is not my strong suit.
>>> i have users vpn'ing (ipsec) into one 5510, accessing various corp
>>> resources there. the vpn pool isn't routed - i just nat it to one of
>>> various inside interfaces depending on which vlan they're trying to
>>> works fine.
>>> that particular 5510 has a l-2-l ipsec to a different 5510, which also
>>> its own inside resources. if i vpn into it directly, i can hit those
>>> resources no problem.
>>> the question is - how do i get the vpn users hitting the first 5510 to
>>> reach the resources behind the second 5510?
>>> i know i'm close, as i'm at least triggering the l-2-l tunnel to be
>>> when vpn'd into the first 5510 and trying to reach the second 5510's
>>> resources. i'm just missing some nat, or something...
>>> appreciated.
>>> ryan
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>"Helping Your ICT Budget Deliver to its Maximum Potential"
>Steve Housego
>Principal Consultant
>IT Professional Services
>Axwell House
>Waterside Drive
>Metrocentre East Business Park
>Tyne & Wear NE11 9HU
>T. 0191 442 8300
>F. 0191 442 8301
>Steve.Housego at itps.co.uk<mailto:Steve.Housego at itps.co.uk>
>Check out our new website at www.it-ps.com <http://www.it-ps.com/> and
>see how we can help your IT budget deliver more for less.
>Company No. 3930001<tel:3930001> registered in England
>VAT No. 734 1935 33<tel:734%201935%2033>
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list