Any Cisco ASA Bods on here
Discussion
have a semi complex VPN query that I need to bounce of someone as my Cisco geek is on holiday in NZ at present.
Trying to allow a remote access dial-in VPN to route to a remote internal network the other side of a lan-2-lan VPN that terminates on the same ASA and want to check
a) if its actually possible
b) buy someone a
if they can give me enough pointers to get it to work 
Cheers
J
Trying to allow a remote access dial-in VPN to route to a remote internal network the other side of a lan-2-lan VPN that terminates on the same ASA and want to check
a) if its actually possible
b) buy someone a
if they can give me enough pointers to get it to work Cheers
J
We have a setup here with ASA at site A and ASA at Site B linked via a site to site VPN.
Our users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
Our users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
royceybaby said:
We have a setup here with ASA at site A and ASA at Site B linked via a site to site VPN.
Our users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
Already tried same-security-traffic permit intra-interface last night - still didnt work, but I'm sure there is something Simple I'm missingOur users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
Ash - will drop you a mail.
royceybaby said:
We have a setup here with ASA at site A and ASA at Site B linked via a site to site VPN.
Our users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
That wont work, sorry.Our users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
Intra Interface is to allow traffic to enter and leave the same interface. Useful if you want to dog leg vpn traffic from one remote site to another remote site via the central ASA.
When you do the above, you also need to ensure that you re-encrypt the traffic at the ASA, e.g. Remote site A is 10.1.1.0/24, remote site B is 10.2.1.0/24, HQ is 192.168.1.0/24. the ASA will decrypt 10.1.1.0, the ASA must then re-encrypt to send it to 10.2.1.0/24 and vice versa.
There is also Inter Interface, used to allow for example DMZ1 to DMZ2 regardless of the security setting of each interface.
Hope that helps.
JamieBeeston said:
royceybaby said:
We have a setup here with ASA at site A and ASA at Site B linked via a site to site VPN.
Our users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
Already tried same-security-traffic permit intra-interface last night - still didnt work, but I'm sure there is something Simple I'm missingOur users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
Ash - will drop you a mail.
If you want I can SSH on and do the config for you, or, we can use goto assist, that way you can see what I do.
royceybaby said:
We have a setup here with ASA at site A and ASA at Site B linked via a site to site VPN.
Our users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
you are correct, my apologies.Our users make a client VPN connection to the ASA at Site A and can access Site B via the site to site VPN.
If I remember correctly the command we needed was:
same-security-traffic permit intra-interface
Hope that is of some help to you.
Royce
The only thing left to do is re-encrypt the traffic, source Site A to destination Site B, as it hits the ASA it is decrypted. To send it from Site A to Site B it needs to re-encrypt.
Job done
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff