steinar, that was exactly the document i was googling for and could not find. you've solved my 3-day long problem with one simple email. greatly appreciated to you, and to the other gents who replied.
cheers, ryan On Tue, Sep 2, 2014 at 10:51 AM, Rimestad, Steinar < steinar.rimes...@altibox.no> wrote: > You need to do NAT hairpinning with NAT(outside,outside) statement for > your remote access users to bounce back over the L2L VPN. > > Depending on your ASA version (pre or post 8.3 with the different NAT > engines) I think you can use the following guides: > > >=8.3 > http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ > > <=8.2: > http://www.networking-forum.com/blog/?p=1038 > > Regards, > Steinar > > > > On 01/09/14 23:41, "Steve Housego" <steve.hous...@itps.co.uk> wrote: > > >You will need to add the source/dest networks in the crypto maps, > >configure your split tunnelling (if your not tunnelling all networks), > >configure your nat exempt (outside,outside), and as john has mentioned > >same-security-traffic permit intra-interface. > > > >You may need to put in an ACL as well if your not bypassing interface > >ACL¹s in your VPN config. > > > >SteveH > > > >-----Original Message----- > >From: John Kougoulos <john.kougou...@gmail.com> > >Date: Monday, 1 September 2014 16:24 > >To: ryanL <ryan.lan...@gmail.com> > >Cc: "cisco-nsp@puck.nether.net NSP" <cisco-nsp@puck.nether.net> > >Subject: Re: [c-nsp] asa 5510, remote access vpn, resources across > >lan-to-lan > >Resent-From: Steve Housego <steve.hous...@it-ps.com> > > > >>Hi, > >> > >>it could be nat but this depends on your routing config. It could also be > >>that this command is required: > >>same-security-traffic permit intra-interface > >> > >>Regards, > >>John > >> > >> > >>On Mon, Sep 1, 2014 at 4:57 PM, ryanL <ryan.lan...@gmail.com> wrote: > >> > >>> hi, > >>> > >>> i'm hopefully going to find someone who's done this before, or who has > >>> better google-fu than me. asa is not my strong suit. > >>> > >>> i have users vpn'ing (ipsec) into one 5510, accessing various corp > >>> resources there. the vpn pool isn't routed - i just nat it to one of > >>>the > >>> various inside interfaces depending on which vlan they're trying to > >>>hit. > >>> works fine. > >>> > >>> that particular 5510 has a l-2-l ipsec to a different 5510, which also > >>>has > >>> its own inside resources. if i vpn into it directly, i can hit those > >>>inside > >>> resources no problem. > >>> > >>> the question is - how do i get the vpn users hitting the first 5510 to > >>> reach the resources behind the second 5510? > >>> > >>> i know i'm close, as i'm at least triggering the l-2-l tunnel to be > >>>setup > >>> when vpn'd into the first 5510 and trying to reach the second 5510's > >>> resources. i'm just missing some nat, or something... > >>> > >>> appreciated. > >>> > >>> ryan > >>> _______________________________________________ > >>> cisco-nsp mailing list cisco-nsp@puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >>_______________________________________________ > >>cisco-nsp mailing list cisco-nsp@puck.nether.net > >>https://puck.nether.net/mailman/listinfo/cisco-nsp > >>archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > >[http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png] > > > >"Helping Your ICT Budget Deliver to its Maximum Potential" > > > >Steve Housego > >Principal Consultant > > > >IT Professional Services > >Axwell House > >Waterside Drive > >Metrocentre East Business Park > >Gateshead > >Tyne & Wear NE11 9HU > > > >T. 0191 442 8300 > >F. 0191 442 8301 > > > >steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> > > > > > >Check out our new website at www.it-ps.com <http://www.it-ps.com/> and > >see how we can help your IT budget deliver more for less. > > > >[http://itpswebhost01.it-ps.com/customer_images/itps/twitter]< > http://twitt > >er.com/#!/itpsltd> > >[http://itpswebhost01.it-ps.com/customer_images/itps/facebook] > ><http://www.facebook.com/pages/ITPS/180607505381380> > >[http://itpswebhost01.it-ps.com/customer_images/itps/linkedin] > ><http://uk.linkedin.com/in/itpsltd> > > > >Company No. 3930001<tel:3930001> registered in England > >VAT No. 734 1935 33<tel:734%201935%2033> > > > > > > > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp@puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/