Learn how to a build a cloud-first strategyRegister Now


Remote VPN access over Site to Site IPSEC tunnel on same device

Posted on 2011-05-10
Medium Priority
Last Modified: 2012-05-11
We are replacing our PIX and VPN Concentrator with an ASA5520.
Currently our PIX firewall has IPSEC VPN tunnels to remote offices and the VPN concentrator is used for remote client access.
The way the traffic is routed, if a remote user VPN's into the concentrator, they can access the remote offices over the Site to Site VPN tunnels through the PIX.
The solution I'm looking to do is to create the same scenario, but only using the single ASA 5520.
I know that as a remote user, you cannot VPN into the outside interface of the ASA and then go back out the same interface to the remote offices over the site to site tunnels.
Is there a way to do this with just the once device?
I thought that maybe I could assign a second outside interface on the ASA and have the remote users VPN to that interface, then the site the site tunnels would be built on a second outside interface.  Then the remote users could go into one outside interface and get routed out the 2nd interface with the Site to Site tunnels to reach the remote offices.  
Problem is when I attempted to assign a second outside interface an IP address from the /28 block given to us by our ISP, it didn't work because the IP's overlapped.
Any ideas?
Question by:ingersoe

Accepted Solution

Saineolai earned 2000 total points
ID: 35733946
On an ASA it is possible to allow traffic to enter and exit the same interface, allowing the scenario you are looking for.  The command to enable that is:

same-security-traffic permit intra-interface

Have a look at this Cisco document,

Author Comment

ID: 35734221
Thanks for the quick response.  That looks like it'll work.  Guess I need to ready up on the new features of the 7 and 8 code.

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question