Cisco ASA5500 routing traffic between ipsec tunnels

I have 30+ IPSec tunnels (Cisco ASA5505) that terminate to a Cisco ASA5510.  I would like to be able to:
1. Connect via VPNClient to the Cisco ASA5510 and access any of the 30+ IPSec tunnels
2. Access any of the 30+ IPSec tunnels from any of the networks on the Cisco ASA5505s.

The Cisco ASA5510 is connected to a L3 switch and currently does all the routing.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To accomplish that, all endpoint subnets would need to be included in every ASA crypto match list and nonat.   Its going to be a lot of coding to get that done.    

Each site will have the 29 other site subnets in its crypto match list and nonat so that all traffic is captured into the VPN tunnel.   Your HQ asa already has the tunnel defs for all sites.  

The VPN client setup is the same where the client would need access to all 30 remote subnets defined in the lists.
"1. Connect via VPNClient to the Cisco ASA5510 and  access any of the 30+ IPSec tunnels"

This can be done.  Are you currently allocating the VPNclient users into an IP Pool?  Is that IP Pool a unique subnet or a range of addresses within a subnet that's already part of the site-to-site VPN tunnels?

You'll have to use the  "same-security-traffic permit intra-interface" command, and NAT or not NAT the traffic as needed.  If it's a unique IP subnet then you'll have to PAT the VPN users to an IP number that's part of the existing tunnel config.  If they're allocated a range from an IP block that's already part of the VPN tunnel, then we have to configure a no-nat rule for it.

"2. Access any of the 30+ IPSec tunnels from any of  the networks on the Cisco ASA5505s."

Not sure I understand this one completely.  Are wanting to access any remote site from any other remote site through the VPN tunnels?  I.e. create a fully meshed config?  Are you needing to maintain one-to-one IP NATing through this connection or is it single direction?  If its initiated from the source only, then we could do this with PAT like the VPN client config above.  If the traffic won't work with PAT, then a reconfig of the VPN ACLs is likely necessary.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
drreimAuthor Commented:
one command resolved this issue:

same-security-traffic permit intra-interface
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.