AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of entegration
entegration
Flag for United States of America

asked on 

Cisco ASA Pass VPN Client Traffic Across L2L VPN

Hello,

I have 3 ASA 5505s configured in a hub-spoke pattern.  I have successfully established a L2L tunnel between each spoke and the hub.  

I have successfully configured the Cisco VPN client to connect to the hub.  This is for users outside of the network.

I would like VPN client users to be able to access the networks located across the L2L tunnels.  

Can anyone provide any insight into going about this?  I have a ton of searching and found quite a bit of scattered information, none of which has been successful.

My configuration is as follows:

ASA-SPOKE-2       OS 7.2(3)      192.168.17.1
ASA-SPOKE-1       OS 7.2(4)      192.168.16.1
ASA-HUB                           OS 7.2(4)       192.168.15.1

VPN Pool:                   10.10.10.1-100

ACLs:
For vpn client:
access-list VPNsplitTunnelAcl standard permit 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0

For L2L (1 of 2)
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list hub-to-spoke-tunnel extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list hub-to-spoke-tunnel extended permit ip 192.168.16.0 255.255.255.0 192.168.15.0 255.255.255.0

other side has the corresponding ACLs for the L2L


The L2L encryption I am using is on all tunnels:

crypto map outside_map 20 match address hub-to-spoke-tunnel
crypto map outside_map 20 set peer xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400
crypto map outside_map 20 set security-association lifetime kilobytes 8124

crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400


The VPN Client is using:

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES

crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400

I know I need to setup the proper ACLs to allow traffic to pass.  I also understand I need to allow hairpinning using same-security-traffic permit intra-interface


Im just not getting something right.  Does my encryption need to be the same for the VPN client and L2L for traffic to pass?  What do my ACLs need to look like on both sides for the VPN traffic to pass over the L2L?


Thanks
Hardware Firewalls
Avatar of undefined
Last Comment
JFrederick29
8/22/2022 - Mon
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent