[c-nsp] asa 5510, remote access vpn, resources across lan-to-lan

ryanL ryan.landry at gmail.com
Tue Sep 2 20:32:18 EDT 2014


steinar, that was exactly the document i was googling for and could not
find. you've solved my 3-day long problem with one simple email. greatly
appreciated to you, and to the other gents who replied.

cheers,

ryan


On Tue, Sep 2, 2014 at 10:51 AM, Rimestad, Steinar <
Steinar.Rimestad at altibox.no> wrote:

> You need to do NAT hairpinning with NAT(outside,outside) statement for
> your remote access users to bounce back over the L2L VPN.
>
> Depending on your ASA version (pre or post 8.3 with the different NAT
> engines) I think you can use the following guides:
>
> >=8.3
> http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/
>
> <=8.2:
> http://www.networking-forum.com/blog/?p=1038
>
> Regards,
> Steinar
>
>
>
> On 01/09/14 23:41, "Steve Housego" <Steve.Housego at itps.co.uk> wrote:
>
> >You will need to add the source/dest networks in the crypto maps,
> >configure your split tunnelling (if your not tunnelling all networks),
> >configure your nat exempt (outside,outside), and as john has mentioned
> >same-security-traffic permit intra-interface.
> >
> >You may need to put in an ACL as well if your not bypassing interface
> >ACL¹s in your VPN config.
> >
> >SteveH
> >
> >-----Original Message-----
> >From: John Kougoulos <john.kougoulos at gmail.com>
> >Date: Monday, 1 September 2014 16:24
> >To: ryanL <ryan.landry at gmail.com>
> >Cc: "cisco-nsp at puck.nether.net NSP" <cisco-nsp at puck.nether.net>
> >Subject: Re: [c-nsp] asa 5510, remote access vpn, resources across
> >lan-to-lan
> >Resent-From: Steve Housego <Steve.Housego at it-ps.com>
> >
> >>Hi,
> >>
> >>it could be nat but this depends on your routing config. It could also be
> >>that this command is required:
> >>same-security-traffic permit intra-interface
> >>
> >>Regards,
> >>John
> >>
> >>
> >>On Mon, Sep 1, 2014 at 4:57 PM, ryanL <ryan.landry at gmail.com> wrote:
> >>
> >>> hi,
> >>>
> >>> i'm hopefully going to find someone who's done this before, or who has
> >>> better google-fu than me. asa is not my strong suit.
> >>>
> >>> i have users vpn'ing (ipsec) into one 5510, accessing various corp
> >>> resources there. the vpn pool isn't routed - i just nat it to one of
> >>>the
> >>> various inside interfaces depending on which vlan they're trying to
> >>>hit.
> >>> works fine.
> >>>
> >>> that particular 5510 has a l-2-l ipsec to a different 5510, which also
> >>>has
> >>> its own inside resources. if i vpn into it directly, i can hit those
> >>>inside
> >>> resources no problem.
> >>>
> >>> the question is - how do i get the vpn users hitting the first 5510 to
> >>> reach the resources behind the second 5510?
> >>>
> >>> i know i'm close, as i'm at least triggering the l-2-l tunnel to be
> >>>setup
> >>> when vpn'd into the first 5510 and trying to reach the second 5510's
> >>> resources. i'm just missing some nat, or something...
> >>>
> >>> appreciated.
> >>>
> >>> ryan
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >[http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png]
> >
> >"Helping Your ICT Budget Deliver to its Maximum Potential"
> >
> >Steve Housego
> >Principal Consultant
> >
> >IT Professional Services
> >Axwell House
> >Waterside Drive
> >Metrocentre East Business Park
> >Gateshead
> >Tyne & Wear NE11 9HU
> >
> >T. 0191 442 8300
> >F. 0191 442 8301
> >
> >Steve.Housego at itps.co.uk<mailto:Steve.Housego at itps.co.uk>
> >
> >
> >Check out our new website at www.it-ps.com <http://www.it-ps.com/> and
> >see how we can help your IT budget deliver more for less.
> >
> >[http://itpswebhost01.it-ps.com/customer_images/itps/twitter]<
> http://twitt
> >er.com/#!/itpsltd>
> >[http://itpswebhost01.it-ps.com/customer_images/itps/facebook]
> ><http://www.facebook.com/pages/ITPS/180607505381380>
> >[http://itpswebhost01.it-ps.com/customer_images/itps/linkedin]
> ><http://uk.linkedin.com/in/itpsltd>
> >
> >Company No. 3930001<tel:3930001> registered in England
> >VAT No. 734 1935 33<tel:734%201935%2033>
> >
> >
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list