Solved

VPN client tunnel traffic traversing l2l tunnel

Posted on 2007-11-30
4
765 Views
Last Modified: 2011-10-03
I am trying to setup my ASA so client VPN traffic traverses a l2l tunnel to another firewall.  I know this wasn't possible on a PIX but was told this could be done on a ASA but can't find any documentation on how to do it.  It seems just putting in the propper acl lines for the tunnel and nonat lists won't do it alone.
0
Comment
Question by:RolandCT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20386574
Yes, you can do this...I've done it before.  Here's a section of code that should get you going.

In the code snippet, the following values are used:

x.x.x.x is the public IP address of the tunnel peer device for the L2L tunnel.
192.168.100.1-254 is the VPN pool of addresses
172.16.100.0/24 is the remote network on the other end of the L2L tunnel

I didn't include the code used for the setup of the remote access VPN tunnel, but you should be able to incorporate the code below into your existing configuration.
access-list outside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0
ip local pool vpnpool 192.168.100.1-192.168.100.254 mask 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
 
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800

Open in new window

0
 

Author Comment

by:RolandCT
ID: 20395914
I have the equivalent of those lines in my config but it still is not working.  I have the vpn client traffic being nonat'ed and specified in the vpn tunnel access list.  I was under the assumption there was an additional command to allow this vpn tunnel through vpn tunnel traffic to happen.
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20396076
Oops..yes, there is:

same-security-traffic permit intra-interface

Sorry about that...
0
 

Author Comment

by:RolandCT
ID: 20396134
OK, I will try that and let you know.

Thank you,
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
windows firewall + remote registry/ system 8 41
Login to my old Sonicwall TZ210 5 59
RDP Sonicwall 8 107
What are acceptable WiFi signal strengths 6 76
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question