Cisco SSL VPN route to site-to-site

Hello experts,

I have a cisco ASA5510.  Its current roles are internet gateway, site to site VPN  and SSL VPN access.   I have one site to site tunnel running on this.  

I would like my SSL users to be able to talk to the site-to-site network.  

Local network: 10.6.66.x
site-to-site: 10.0.0.x
SSL: 10.200.200.x

: Saved
: Written by enable_15 at 22:36:59.421 UTC Mon Mar 15 2010
ASA Version 8.0(5)
hostname xxxxxxxxxxxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxxxxxxx
enable password lBgvvfd/E2cA9Vsl encrypted
passwd lBgvvfd/E2cA9Vsl encrypted
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address xxxxxxxxxxxxxxxxxxxxxx
interface Ethernet0/1
 nameif Outside-backup
 security-level 0
 ip address xxxxxxxxxxxxxxxxxxxxxxxxxxxx
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif INSIDE
 security-level 100
 ip address
interface Ethernet0/3.1
 no vlan
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address xxxxxxxxxxxxxxxxxxxxxxxxx
boot system disk0:/asa805-k8.bin
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
 domain-name xxxxxxxxxxxxxxxx
same-security-traffic permit intra-interface
access-list INSIDE_nat0_outbound extended permit ip
access-list INSIDE_nat0_outbound extended permit ip any
access-list INSIDE_nat0_outbound extended permit ip
access-list INSIDE_nat0_outbound extended permit ip
access-list OUTSIDE_cryptomap_20 extended permit ip
access-list OUTSIDE_cryptomap_20 extended permit ip
access-list remote-vpn_splitTunnelAcl standard permit any
access-list remote-vpn_split extended permit ip
access-list remote-vpn_split extended permit ip
pager lines 24
logging enable
logging timestamp
logging list syslog level notifications
logging trap syslog
logging asdm informational
logging host INSIDE xxxxxxxxxxxxxxx
mtu OUTSIDE 1500
mtu Outside-backup 1500
mtu INSIDE 1500
mtu management 1500
ip local pool vpn-pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 10 interface
global (Outside-backup) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 10

static (INSIDE,OUTSIDE) xxxxxxxxxxxxxxxx netmask dns
static (INSIDE,OUTSIDE) xxxxxxxxxxxxxxxx netmask dns
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE xxxxxxxxxxxxxxxxxxxxxx 1 track 1
route Outside-backup xxxxxxxxxxxxxxxxxxxxxx 200
route INSIDE 1       (MPLS)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server windows protocol kerberos
aaa-server windows (INSIDE) host
 timeout 5
 kerberos-realm xxxxxxxxxx
aaa-server xxxxxxxxxxxX protocol nt
aaa-server xxxxxxxxxxxxxX (INSIDE) host
 nt-auth-domain-controller xxxxxxxxxxxxxxxxxxxx
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho interface OUTSIDE
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 20 set reverse-route
crypto map OUTSIDE_map 20 match address OUTSIDE_cryptomap_20
crypto map OUTSIDE_map 20 set peer
crypto map OUTSIDE_map 20 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 20 set reverse-route
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
track 1 rtr 123 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
telnet inside
management-access INSIDE
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
threat-detection scanning-threat shun duration 600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server xxxxxxxxxxxxxxxxxxxx source OUTSIDE
 port 444
 enable OUTSIDE
 dtls port 444
 svc image disk0:/anyconnect-dart-win-2.4.0202-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy remote-vpn internal
group-policy remote-vpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remote-vpn_split
 default-domain value xxxxxxxxxxxxxxxxxxxxxxxxxx
  url-list none
  svc ask enable
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group xxxxxxxxxxxxxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxxxxxxxxxxxxxxxx ipsec-attributes
 pre-shared-key *
tunnel-group remote-vpn type remote-access
tunnel-group remote-vpn general-attributes
 address-pool (INSIDE) vpn-pool
 address-pool vpn-pool
 authentication-server-group xxxxxxxxxxX LOCAL
 authentication-server-group (INSIDE) xxxxxxxxxxxX LOCAL
 authorization-server-group LOCAL
 default-group-policy remote-vpn
tunnel-group remote-vpn ipsec-attributes
 pre-shared-key *
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool vpn-pool
 authentication-server-group xxxxxxxxxxxxxxxxxx-
 default-group-policy remote-vpn
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well last I heard it won't work that way.

Basically the ASA won't receive traffic on an interface and then send it back out on that interface which is what you would be doing.

Solutions... have your second vpn somewhere on the inside of your network. OpenVPN is linux based SSL vpn server if you want to try it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.