• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 823
  • Last Modified:

ASA 5510 access L2L VPN from VPN client connection

I have a 5510 with an L2L VPN to a remote site (  I am also using the 5510 for VPN client access.  Both are connecting on the same interface (outside).  I would like be able to to access the remote site via the VPN client connection.  Is this possible?

If not, can I move the VPN client connections to another interface (alt-wan) in order to make this work?  The alt-wan interface is on different public subnet than the outside interface.
: Saved
ASA Version 8.2(1) 
hostname ma-asa5510-01
domain-name MA.local
no names
name HQ-S01 description
name TN description
name ma-inside-subnet description
name ma-train-ctr-subnet description
name A- description ASA 5510 <> Cisco 3560
name VPN-Clients-5510 description Subnet for 5510 VPN Client Pool
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address w.x.y.z 
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 nameif alt-wan
 security-level 0
 ip address a.b.c.d 
interface Ethernet0/3
 nameif train-ctr
 security-level 50
 ip address 
interface Management0/0
 nameif management
 security-level 100
 ip address 
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name MA.local
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_nat0_outbound extended permit ip 
access-list inside_nat0_outbound extended permit ip 
access-list inside_nat0_outbound extended permit ip 
access-list inside_nat0_outbound extended permit ip 
access-list inside_nat0_outbound extended permit ip 
access-list SPLIT standard permit 
access-list SPLIT standard permit 
access-list SPLIT standard permit 
access-list TN_VPN_Tunnel extended permit ip 
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside 1500
mtu alt-wan 1500
mtu train-ctr 1500
mtu management 1500
ip local pool VPN-Client-Pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 1 interface
global (alt-wan) 20 interface
global (train-ctr) 30 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10
nat (train-ctr) 10
route outside w.x.y.z 1
route alt-wan a.b.c.d 5
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WinNTAuth protocol nt
aaa-server WinNTAuth (inside) host
 timeout 5
aaa-server 2K8-RADIUS protocol radius
aaa-server 2K8-RADIUS (inside) host
 key xxx
 radius-common-pw xxx
http server enable
http inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 

crypto map outside_map 3 match address TN_VPN_Tunnel
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer [TN Public IP] 
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet inside
telnet management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
 enable outside
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 2
 svc enable
 tunnel-group-list enable
 certificate-group-map DefaultCertificateMap 10 MARemote
group-policy DfltGrpPolicy attributes
 dns-server value
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 default-domain value MA.local
  url-list value MA-Internal
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask enable default webvpn timeout 7
group-policy MARemote internal
group-policy MARemote attributes
 banner value Welcome to MA.
 banner value 
 banner value Access is permitted by authorized users only.
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT
 default-domain value MA.local
  url-list value MA-Internal
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn timeout 7
  customization value DfltCustomization
  hidden-shares visible
  file-entry enable
  file-browsing enable
group-policy L2L-Group-Policy internal
group-policy L2L-Group-Policy attributes
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username bob password xxx encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group 2K8-RADIUS
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group 2K8-RADIUS
tunnel-group MARemote type remote-access
tunnel-group MARemote general-attributes
 address-pool VPN-Client-Pool
 authentication-server-group 2K8-RADIUS
 default-group-policy MARemote
 password-management password-expire-in-days 10
tunnel-group MARemote webvpn-attributes
 group-alias AnyConnect enable
tunnel-group MARemote ipsec-attributes
 pre-shared-key *
tunnel-group [TN Public IP] type ipsec-l2l
tunnel-group [TN Public IP] ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

  • 3
  • 2
1 Solution
Yes it is. I just went through this.

I can tell you how to do it from the ASDM side.. I didn't record the actual commands that were sent to the ASA but can try to peel those out for you as well. Give me a few to put this together for you.
1. Enable traffic between two or more interfaces which are configured with the same security levels. this enables router on a stick which is necessery for tunnel hopping.
Command - same-security-traffic permit inter-interface

2. On the profile you use for the VPN client - make sure you add the remote site's network as one of the 'split tunnel destinguished networks' but adding it to the same ACL as your current Remote VPN ACL list -
Command - access-list YourVPNProf_splitTunnelAcl standard permit x.x.x.x m.m.m.m

Hope this helps.
LimeRidge29Author Commented:
Problem solved.
LimeRidge29Author Commented:
tobyhansen, your CLI same-security-traffic permit inter-interface was not exactly right, but it led me to the answer:  same-security-traffic permit INTRA-interface

In the ASDM, it's the "Enable traffic between two or more hosts connected to the same interface" check box.  Thanks for the help.
I have them both checked off. one of them didn't work. I thought I had tried the 'intra' first. Thank youfor correcting me.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now