[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

ASA Remote VPN access to second office site

I am guessing this is a simple answer to a simple question. I currently have an ASA firewall at my remote datacenter, which has remote VPN clients dialed into it. At my office, I have a Netscreen 25 with a site to site VPN setup between the ASA at the datacenter, and the office. So, lets say this:

Remote Clients:

I am able to traverse the VPN between the two sites, from servers on the inside interface of the ASA's, and servers/workstations on the inside interface of the office. What I am having a problem with, is remote clients using the Cisco VPN client, connecting to the VPN on the ASA, can not access servers at the office, through the site to site VPN. Is this even possible?
1 Solution
Pete LongConsultantCommented:
Cisco Hair pinning

To VPN into a security appliance (Cisco PIX or ASA) then come back out of that appliance to another site via VPN is called hair pinning. To do it you need a PIX/ASA that is running version 7.0(1) or above. That means you cannot do it on a PIX 501 or 506E.
To enable this on your firewall simply add the following line

same-security-traffic permit intra-interface
malken00Author Commented:
Already have that line in there... :(

The ASA is v8.0(2)
Yes it's possible. You have to add the interesting traffic to your crypto acls on the ASA and the Netscreen.

For example you would have to add this to your ASA...

access-list <crypto_acl> extended permit ip

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now