Cisco ASA VPN routing question
Greetings.
We have a Cisco ASA5512x firewall/router. We use the AnyConnect client for SSL/TLS access.
I've set up a site-to-site VPN connection with a vendor between our inside network and their inside network. It's configured properly (with their outside network on our end and our outside network on theirs). All is well there.
We would like to be able to have certain users connect into our network via the AnyConnect client, then be able to transparently access the vendor's network. Obviously, from inside our office all is well. But from outside, they only get into our network, not through to the vendor's network.
In the site-to-site setup, I've added our VPN pool to the "Local - Protected Network", where our internal IP scheme resides.
What else am I missing ?
Thanks.
-Stephen
We have a Cisco ASA5512x firewall/router. We use the AnyConnect client for SSL/TLS access.
I've set up a site-to-site VPN connection with a vendor between our inside network and their inside network. It's configured properly (with their outside network on our end and our outside network on theirs). All is well there.
We would like to be able to have certain users connect into our network via the AnyConnect client, then be able to transparently access the vendor's network. Obviously, from inside our office all is well. But from outside, they only get into our network, not through to the vendor's network.
In the site-to-site setup, I've added our VPN pool to the "Local - Protected Network", where our internal IP scheme resides.
What else am I missing ?
Thanks.
-Stephen
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cheever000
I also should add you need to make sure the same-security-traffic permit intra-interface command to allow traffic to go out the same interface it came in on.
ASKER
I think we're good ! I added the VPN Pool to the split tunnel in the correct group policy. (I'm working with ASDM, not CLI). Yes, remote endpoint is find with our client VPN pool - good question. I'm not sure about the same-security-traffic permit intra-interface command. We're testing now with just the split tunnel change.
Great news, if you need anything please update this question and I will provide any guidance I can.
Hi there,
Just for my learning.
Kindly confirm the below:
I added the VPN Pool to the split tunnel in the correct group policy
You mean to say that you added the LAN pool of the Remote site in the Remote VPN access-list.
Just for my learning.
Kindly confirm the below:
I added the VPN Pool to the split tunnel in the correct group policy
You mean to say that you added the LAN pool of the Remote site in the Remote VPN access-list.
You should also add the IP pool subnet to the crypto ACL of the site to site VPN? And the NAT exemption?
Cisco Firewall VPN “Hair Pinning” Note: Cisco refer to this as a “Spoke to Spoke VPN”
Pete
Cisco Firewall VPN “Hair Pinning” Note: Cisco refer to this as a “Spoke to Spoke VPN”
Pete
the far end end will of the site to site tunnel will also need to add the VPN pool subnet, or you would need to NAT the remote user VPN subnet to an existing address in the cryptomap
ASKER
Added to split-tunnel as suggested. We are good to go. Thank you.