ASA 5505 asdm 5.2 VPN spoke to spoke connection

I need to allow VPN traffic to flow through an ASA 5505 to another VPN target (spoke to spoke).  

I have a remote VPN connection  to an ASA 5505 using Cisco VPN Client.  It is configured and I am able to connect to the ASA inside interface (LAN).  I need to know how to allow traffic to go back out the outside interface across a site to site VPN connection (essentially using the ASA as a VPN Proxy).  The local firewall at the other end of the site to site connection cannot accept VPN client connections directly so I am trying to use the ASA as a gateway leveraging the site to site VPN connection.

I had attempted to create an acl entry on the inside interface allowing traffic from the ASA's LAN subnet to the remote site LAN subnet. However this prevented normal internet traffic from going out the firewall and did not route traffic to the remote site as desired.

The same rule on the outside interface does nothing.  

I am also unable to find where NAT exemptions are configured for the VPN in order to control which targets are permitted on the LAN for VPN Users.  It appears in the wizard once where you can set allowed hosts however I cannot find it later in the Tunnel Group or Group Policy.
LVL 2
YMartinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
You will need to modify the access lists associated with the two VPN connections, and then allow same-security traffic intra-interface.

Example:

Current:

Site A
VPN1
permit site A IPs to site B IPs
VPN2
permit site A IPs to site C ips

(Site B and Site C have converse rules)


New:
VPN1
permit site A IPs to site B IPs
permit site C ips to site B ips
VPN2
permit site A IPs to site C ips
permit site B IPs to site C ips

(Site B and site C access lists need to be updated to allow converse traffic)

Then add the following rule at main site:

same-security-traffic permit intra-interface



Result is that traffic Site B to Site C arrives at site A, is decrypted, then routed back out the outside interface, re-encrypted with the VPN to site C and sent on its way.
0
YMartinAuthor Commented:
Thanks for the reply.   I issued the permit intra-interface but this by itself has not resolved the issue.

The problem is that we are using a remote VPN connection using the Cisco client.  The local ip of the actual client will change depending on where they connect from.  When you log in using the VPN  client your local IP is Natted over to an address within the ASA's Lan subnet.  There is already connectivity between the LAN subnet of the ASA and the remote LAN subnet at the other end of the site to site VPN.  

Not really sure how to get to the access lists

in ASDM I see the IPSec Rules and the action is listed as "Protect" rather than "Permit".  I could create a rule however I would need to know what to enter for the crypto map peer if any (I would think this would remain empty) and under "Traffic Selection" I would need to know what to enter as the source object/address in order to catch traffic coming in on the remote VPN.
0
asavenerCommented:
So it's a computer using the Anyconnect VPN client that needs access to the second LAN?  

Are you configured for split VPN?  If you are, then you have to add the second LAN to the list of subnets.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

YMartinAuthor Commented:
Correct.  Cisco VPN Client 5.0.07.0440 connecting to the ASA needs to access the second LAN on one of the ASA's Site2Site VPN partners.

The asa has 5 Site2Site connections 3 of them are configured in a full mesh configuration where those 3 are also connected to each other.  Those site to site connections should not route traffic through the ASA destined for another VPN target.  Only the VPN Client connection will need to be able to do this for the one LAN.

I am probably not configured for split VPN and may need to find out how this is setup on the ASA or how to verify if it is setup or not.

To which list would I add the 2nd LAN and where do I locate said list?  I have searched everywhere for a list which would accept the subnet and enable functionality.  

Thanks.
0
asavenerCommented:
If you are set up for split VPN, then there should be a standard access list assigned to the remote VPN profile.
0
YMartinAuthor Commented:
I have verified that the tunnel group of which the remote VPN connection is a member is set for split VPN.  

This (attached) is the only thing which resembles an ACL which I have been able to find under VPN configuration.   I have searched high an low.  Is this the correct area?  

Line 4 has the local lan subnet as the source and the remote VPN target as the destination.  The remote VPN user is assigned an address within that local subet.
ASAVPNRules.png
0
asavenerCommented:
The remote access VPN is the stuff at the bottom that says any/any.  So you're not running a split tunnel for remote access users.
0
YMartinAuthor Commented:
The Split VPN is on the VPN client end so internet bound traffic does not get routed through the ASA.  I will try to set a dynamic rule with a source of any and destination of the remote LAN and set the public IP of that network as the peer and see if that does anything.  Is that how one would configure split VPN for this scenario?
0
asavenerCommented:
No, you have to configure split VPN from the ASA side first.  ASA configuration will  override local settings on the VPN client.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YMartinAuthor Commented:
Great.  It works.  

Really appreciate your patience.  I never thought to click on "Manage" under "Split Tunnel Network List" to find the ACL entries.  Those instructions were just the thing.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.