Cisco SSL VPN route to site-to-site

Posted on 2012-03-26
Last Modified: 2012-09-13
Hello experts,

I have a cisco ASA5510.  Its current roles are internet gateway, site to site VPN  and SSL VPN access.   I have one site to site tunnel running on this.  

I would like my SSL users to be able to talk to the site-to-site network.  

Local network: 10.6.66.x
site-to-site: 10.0.0.x
SSL: 10.200.200.x

: Saved
: Written by enable_15 at 22:36:59.421 UTC Mon Mar 15 2010
ASA Version 8.0(5)
hostname xxxxxxxxxxxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxxxxxxx
enable password lBgvvfd/E2cA9Vsl encrypted
passwd lBgvvfd/E2cA9Vsl encrypted
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address xxxxxxxxxxxxxxxxxxxxxx
interface Ethernet0/1
 nameif Outside-backup
 security-level 0
 ip address xxxxxxxxxxxxxxxxxxxxxxxxxxxx
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif INSIDE
 security-level 100
 ip address
interface Ethernet0/3.1
 no vlan
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address xxxxxxxxxxxxxxxxxxxxxxxxx
boot system disk0:/asa805-k8.bin
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
 domain-name xxxxxxxxxxxxxxxx
same-security-traffic permit intra-interface
access-list INSIDE_nat0_outbound extended permit ip
access-list INSIDE_nat0_outbound extended permit ip any
access-list INSIDE_nat0_outbound extended permit ip
access-list INSIDE_nat0_outbound extended permit ip
access-list OUTSIDE_cryptomap_20 extended permit ip
access-list OUTSIDE_cryptomap_20 extended permit ip
access-list remote-vpn_splitTunnelAcl standard permit any
access-list remote-vpn_split extended permit ip
access-list remote-vpn_split extended permit ip
pager lines 24
logging enable
logging timestamp
logging list syslog level notifications
logging trap syslog
logging asdm informational
logging host INSIDE xxxxxxxxxxxxxxx
mtu OUTSIDE 1500
mtu Outside-backup 1500
mtu INSIDE 1500
mtu management 1500
ip local pool vpn-pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 10 interface
global (Outside-backup) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 10

static (INSIDE,OUTSIDE) xxxxxxxxxxxxxxxx netmask dns
static (INSIDE,OUTSIDE) xxxxxxxxxxxxxxxx netmask dns
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE xxxxxxxxxxxxxxxxxxxxxx 1 track 1
route Outside-backup xxxxxxxxxxxxxxxxxxxxxx 200
route INSIDE 1       (MPLS)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server windows protocol kerberos
aaa-server windows (INSIDE) host
 timeout 5
 kerberos-realm xxxxxxxxxx
aaa-server xxxxxxxxxxxX protocol nt
aaa-server xxxxxxxxxxxxxX (INSIDE) host
 nt-auth-domain-controller xxxxxxxxxxxxxxxxxxxx
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho interface OUTSIDE
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 20 set reverse-route
crypto map OUTSIDE_map 20 match address OUTSIDE_cryptomap_20
crypto map OUTSIDE_map 20 set peer
crypto map OUTSIDE_map 20 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 20 set reverse-route
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
track 1 rtr 123 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
telnet inside
management-access INSIDE
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
threat-detection scanning-threat shun duration 600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server xxxxxxxxxxxxxxxxxxxx source OUTSIDE
 port 444
 enable OUTSIDE
 dtls port 444
 svc image disk0:/anyconnect-dart-win-2.4.0202-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy remote-vpn internal
group-policy remote-vpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remote-vpn_split
 default-domain value xxxxxxxxxxxxxxxxxxxxxxxxxx
  url-list none
  svc ask enable
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group xxxxxxxxxxxxxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxxxxxxxxxxxxxxxx ipsec-attributes
 pre-shared-key *
tunnel-group remote-vpn type remote-access
tunnel-group remote-vpn general-attributes
 address-pool (INSIDE) vpn-pool
 address-pool vpn-pool
 authentication-server-group xxxxxxxxxxX LOCAL
 authentication-server-group (INSIDE) xxxxxxxxxxxX LOCAL
 authorization-server-group LOCAL
 default-group-policy remote-vpn
tunnel-group remote-vpn ipsec-attributes
 pre-shared-key *
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool vpn-pool
 authentication-server-group xxxxxxxxxxxxxxxxxx-
 default-group-policy remote-vpn
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
Question by:gws226
1 Comment
LVL 10

Accepted Solution

pclinuxguru earned 500 total points
Comment Utility
Well last I heard it won't work that way.

Basically the ASA won't receive traffic on an interface and then send it back out on that interface which is what you would be doing.

Solutions... have your second vpn somewhere on the inside of your network. OpenVPN is linux based SSL vpn server if you want to try it.

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
export data from ASA 5 46
Cisco USB Device Setup 8 49
Secure host to host communication 5 61
Calyptix AE1200 VLAN Question 3 12
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now