Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 770
  • Last Modified:

VPN client tunnel traffic traversing l2l tunnel

I am trying to setup my ASA so client VPN traffic traverses a l2l tunnel to another firewall.  I know this wasn't possible on a PIX but was told this could be done on a ASA but can't find any documentation on how to do it.  It seems just putting in the propper acl lines for the tunnel and nonat lists won't do it alone.
0
RolandCT
Asked:
RolandCT
  • 2
  • 2
1 Solution
 
batry_boyCommented:
Yes, you can do this...I've done it before.  Here's a section of code that should get you going.

In the code snippet, the following values are used:

x.x.x.x is the public IP address of the tunnel peer device for the L2L tunnel.
192.168.100.1-254 is the VPN pool of addresses
172.16.100.0/24 is the remote network on the other end of the L2L tunnel

I didn't include the code used for the setup of the remote access VPN tunnel, but you should be able to incorporate the code below into your existing configuration.
access-list outside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0
ip local pool vpnpool 192.168.100.1-192.168.100.254 mask 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
 
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800

Open in new window

0
 
RolandCTAuthor Commented:
I have the equivalent of those lines in my config but it still is not working.  I have the vpn client traffic being nonat'ed and specified in the vpn tunnel access list.  I was under the assumption there was an additional command to allow this vpn tunnel through vpn tunnel traffic to happen.
0
 
batry_boyCommented:
Oops..yes, there is:

same-security-traffic permit intra-interface

Sorry about that...
0
 
RolandCTAuthor Commented:
OK, I will try that and let you know.

Thank you,
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now