Cisco ASA5500 routing traffic between ipsec tunnels

I have 30+ IPSec tunnels (Cisco ASA5505) that terminate to a Cisco ASA5510.  I would like to be able to:
1. Connect via VPNClient to the Cisco ASA5510 and access any of the 30+ IPSec tunnels
2. Access any of the 30+ IPSec tunnels from any of the networks on the Cisco ASA5505s.

The Cisco ASA5510 is connected to a L3 switch and currently does all the routing.
Who is Participating?
"1. Connect via VPNClient to the Cisco ASA5510 and  access any of the 30+ IPSec tunnels"

This can be done.  Are you currently allocating the VPNclient users into an IP Pool?  Is that IP Pool a unique subnet or a range of addresses within a subnet that's already part of the site-to-site VPN tunnels?

You'll have to use the  "same-security-traffic permit intra-interface" command, and NAT or not NAT the traffic as needed.  If it's a unique IP subnet then you'll have to PAT the VPN users to an IP number that's part of the existing tunnel config.  If they're allocated a range from an IP block that's already part of the VPN tunnel, then we have to configure a no-nat rule for it.

"2. Access any of the 30+ IPSec tunnels from any of  the networks on the Cisco ASA5505s."

Not sure I understand this one completely.  Are wanting to access any remote site from any other remote site through the VPN tunnels?  I.e. create a fully meshed config?  Are you needing to maintain one-to-one IP NATing through this connection or is it single direction?  If its initiated from the source only, then we could do this with PAT like the VPN client config above.  If the traffic won't work with PAT, then a reconfig of the VPN ACLs is likely necessary.

To accomplish that, all endpoint subnets would need to be included in every ASA crypto match list and nonat.   Its going to be a lot of coding to get that done.    

Each site will have the 29 other site subnets in its crypto match list and nonat so that all traffic is captured into the VPN tunnel.   Your HQ asa already has the tunnel defs for all sites.  

The VPN client setup is the same where the client would need access to all 30 remote subnets defined in the lists.
drreimAuthor Commented:
one command resolved this issue:

same-security-traffic permit intra-interface
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.