I have 3 ASA 5505s configured in a hub-spoke pattern. I have successfully established a L2L tunnel between each spoke and the hub.
I have successfully configured the Cisco VPN client to connect to the hub. This is for users outside of the network.
I would like VPN client users to be able to access the networks located across the L2L tunnels.
Can anyone provide any insight into going about this? I have a ton of searching and found quite a bit of scattered information, none of which has been successful.
My configuration is as follows:
ASA-SPOKE-2 OS 7.2(3) 192.168.17.1
ASA-SPOKE-1 OS 7.2(4) 192.168.16.1
ASA-HUB OS 7.2(4) 192.168.15.1
VPN Pool: 10.10.10.1-100
For vpn client:
access-list VPNsplitTunnelAcl standard permit 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
For L2L (1 of 2)
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list hub-to-spoke-tunnel extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list hub-to-spoke-tunnel extended permit ip 192.168.16.0 255.255.255.0 192.168.15.0 255.255.255.0
other side has the corresponding ACLs for the L2L
The L2L encryption I am using is on all tunnels:
crypto map outside_map 20 match address hub-to-spoke-tunnel
crypto map outside_map 20 set peer xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400
crypto map outside_map 20 set security-association lifetime kilobytes 8124
crypto isakmp policy 30
The VPN Client is using:
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES
crypto isakmp policy 65535
I know I need to setup the proper ACLs to allow traffic to pass. I also understand I need to allow hairpinning using same-security-traffic permit intra-interface
Im just not getting something right. Does my encryption need to be the same for the VPN client and L2L for traffic to pass? What do my ACLs need to look like on both sides for the VPN traffic to pass over the L2L?