Solved

VPN client tunnel traffic traversing l2l tunnel

Posted on 2007-11-30
4
758 Views
Last Modified: 2011-10-03
I am trying to setup my ASA so client VPN traffic traverses a l2l tunnel to another firewall.  I know this wasn't possible on a PIX but was told this could be done on a ASA but can't find any documentation on how to do it.  It seems just putting in the propper acl lines for the tunnel and nonat lists won't do it alone.
0
Comment
Question by:RolandCT
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Yes, you can do this...I've done it before.  Here's a section of code that should get you going.

In the code snippet, the following values are used:

x.x.x.x is the public IP address of the tunnel peer device for the L2L tunnel.
192.168.100.1-254 is the VPN pool of addresses
172.16.100.0/24 is the remote network on the other end of the L2L tunnel

I didn't include the code used for the setup of the remote access VPN tunnel, but you should be able to incorporate the code below into your existing configuration.
access-list outside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0

ip local pool vpnpool 192.168.100.1-192.168.100.254 mask 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound
 

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

Open in new window

0
 

Author Comment

by:RolandCT
Comment Utility
I have the equivalent of those lines in my config but it still is not working.  I have the vpn client traffic being nonat'ed and specified in the vpn tunnel access list.  I was under the assumption there was an additional command to allow this vpn tunnel through vpn tunnel traffic to happen.
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
Oops..yes, there is:

same-security-traffic permit intra-interface

Sorry about that...
0
 

Author Comment

by:RolandCT
Comment Utility
OK, I will try that and let you know.

Thank you,
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now