Like to use EZVPN? Me too. Also have a need for some IPSEC L2L VPNs? Me too.
Need in some cases to permit connectivity between EZVPN branch offices and IPSEC L2L Branch offices? Me too.
The ASA syntax below shows how make this happen. It assumes you already know (implemented) syntax for base VPN configuration and only shows additional syntax necessary to make it work…
FW1:
! NAT EXEMPTION:
nat (outside,outside) source static REMOTE_SUBNET_FW2 REMOTE_SUBNET_FW2 destination static REMOTE_SUBNET_FW3 REMOTE_SUBNET_FW3
! IDENTIFY INTERESTING TRAFFIC TO SEND INTO TUNNEL (L2L CRYPTO MAP):
access-list FW1_to_FW2 extended permit ip object REMOTE_SUBNET_FW3 object REMOTE_SUBNET_FW2
! IDENTIFY SPLIT-TUNNEL TRAFFICE (EZVPN GROUP POLICY):
access-list FW3_SPLIT_TUNNEL standard permit x.x.x.x m.m.m.m (FW2-inside)
! PERMIT THE HAIR-PIN:
same-security-traffic permit intra-interface
! ROUTE OUTSIDE
x.x.x.x m.m.m.m g.g.g.g (FW2 Inside)
x.x.x.x m.m.m.m g.g.g.g (FW3 Inside)
FW2:
! NAT EXEMPTION:
nat (inside,outside) source static REMOTE_SUBNET_FW3 REMOTE_SUBNET_FW3 destination static REMOTE_SUBNET_FW2 REMOTE_SUBNET_FW2
! IDENTIFY INTERESTING TRAFFIC TO SEND INTO TUNNEL (L2L CRYPTO MAP):
access-list FW2_to_FW1 extended permit ip object REMOTE_SUBNET_FW2 object REMOTE_SUBNET_FW3
No comments:
Post a Comment