Cisco ASA/PIX hub and spoke VPN routing

I am wondering if it is possible to route between tunnels in a hub and spoke environment. Can the Remote VPN User in the example below connect to the 5540 and then hit resources behind the 5505 or 5510? Is this as simple as adding the necessary route statement in the 5540 or does the VPN Group Policy get the routing info? Also, I have 12 - 15 point to point tunnels on this ASA 5540, is there a way to limit by group membership on the ASA what resources VPN Users can connect to besides using Windows/AD group membership? This does assume Active Directory DNS is being passed to the Remote VPN User.

Cisco ASA 5505---\
                              \ Existing VPN Tunnel
                               \----------------------------------------\
                                                                                  Cisco ASA 5540  <-----------> Remote VPN User                    
                               /----------------------------------------/  
                              / Existing VPN Tunnel
Cisco ASA 5510---/
RTPITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
>>Can the Remote VPN User in the example below connect to the 5540 and then hit resources behind the 5505 or 5510?

Yes, you can.  It's called "hairpinning" and this is a new capability introduced in the 7.x code of the ASA.

>>Is this as simple as adding the necessary route statement in the 5540 or does the VPN Group Policy get the routing info?

There are a couple of other things involved, but not many.  Here is the documentation on how to do this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnsysop.html#wp1042114

>>is there a way to limit by group membership on the ASA what resources VPN Users can connect to besides using Windows/AD group membership?

Yes, there is.  The restriction of resource access is by IP address and port, since it is implemented via ACL's in the ASA and those can only use source/destination address and source/destination port to restrict access.

If you need more specific help or code examples, please post your existing configuration (sanitized, of course) and we can take a look...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RTPITAuthor Commented:
Thanks. Looks like exactly what I want to do. I am in the process of replacing my PIX 525 with a 5540 and as soon as I get this implemented, I will re-post results.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.