Configure to integrate Cisco ASA and JOINT

Hello

We have Cisco ASA and JOINT, need assistance on the integration of the same thing; Please email me so that I'll share the details of the architecture.

Thank you best regards &,.

REDA

Hi reda,.

If I correctly your diagram, you do not want to send any traffic from the external switch to the JOINT with a SPAN port and all traffic from your DMZ interfaces with another.

Is this correct?

If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I said in my original answer, we generally advise putting IP addresses after the firewall.

Not to mention that in your case, I guess that some traffic will be inspected twice so you will need to assign a different virtual sensors to each JOINT internal interfaces to ensure that the same instance does not see the traffic of several times.

Kind regards

Nicolas

Tags: Cisco Security

Similar Questions

  • The traffic load between the power of Cisco ASA and FireSight Management Center fire

    Hi all

    I have a stupid question to ask.

    Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?

    Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.

    Maybe you all have no idea to provide.

    It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.

    Generally it is not a heavy load, however.

  • Cisco ASA and dynamic VPN L2L Fortigate configuration

    I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.

    I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.

    However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.

    6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key.  Abandonment
    5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
    6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key.  User switching to the tunnel-group: DefaultL2LGroup
    5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
    4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
    3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
    6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, drop

    Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be

    then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.

    You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.

    Assuming that you have configured the dynamic map and assign to the card encryption.

    Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

    Hope that helps.

  • IPSec vpn cisco asa and acs 5.1

    We have configured authentication ipsec vpn cisco asa acs 5.1:

    Here is the config in cisco vpn 5580:

    standard access list acltest allow 10.10.30.0 255.255.255.0

    RADIUS protocol AAA-server Gserver

    AAA-server host 10.1.8.10 Gserver (inside)

    Cisco key

    AAA-server host 10.1.8.11 Gserver (inside)

    Cisco key

    internal group gpTest strategy

    gpTest group policy attributes

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list acltest

    type tunnel-group test remote access

    tunnel-group test general attributes

    address localpool pool

    Group Policy - by default-gpTest

    authentication-server-group LOCAL Gserver

    authorization-server-group Gserver

    accounting-server-group Gserver

    IPSec-attributes of tunnel-group test

    pre-shared-key cisco123

    GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

    When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

    error:

    22040 wrong password or invalid shared secret

    (pls see picture to attach it)

    the system still works, but I don't know why, we get the error log.

    Thanks for any help you can provide!

    Duyen

    Hello Duyen,

    I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

    Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

    authentication-server-group LOCAL Gserver

    authorization-server-group Gserver

    As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

    Please remove the authorization under the Tunnel of Group:

    No authorization-server-group Gserver

    Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

    Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

    I hope this helps.

    Kind regards.

  • IKE Dead Peer Detection between Cisco ASA and Cisco PIX

    I have a network environment in Star with about 30 offices of satellite remote using VPN Site to Site connectivity.  The majority of remote satellite offices have the features of Cisco PIX 501 running PIX Version 6.3.  The hub office runs a version 8.2 (1) Cisco ASA.

    I configured Dead Peer Detection on the Cisco ASA device at the office hub with the default settings of the following-

    Confidence interval - 10 seconds

    Retry interval - 2 seconds

    I think I'm right assuming that raises are limited to 3 before the tunnel is completely demolished.  Basically, the problem that I am facing is with several remote satellite offices.  What seems to be the case, the tunnel between the remote offices and the hub is demolished (probably because of the length of IKE, always 86400 seconds) and the tunnel then fails to renegotiate unless traffic is physically forced from the hub office.  The tunnel NOT to renegotiate after satellite office, ONLY the end of the hub; so that means sending traffic to the satellite when the VPN tunnel is out of service, not to renegotiate the tunnel.  The Hub office is a colo and therefore traffic rarely comes to that end, the tunnel remains so down until manual intervention occurs and the ICMP traffic is forced into the tunnel.

    Should the KeepAlive and retry interval settings corresponds to both ends, for example if the two devices be configured for DPD?

    What are the potential pitfalls to the extension of the life of IKE, and this will help or even hinder the problem?

    Thank you in advance for helping out with this.

    Hi Nicolas,.

    I think that the two DPD settings must match on both ends, if these do not match then problems like yours might arise which seems to happen here, is that one end shows a tunnel down, but the other end may not detect it down, we could have to watch debugs, or record two ends to see if this is the case , setting in the meantime ike DPD for same timers could hetlp on.

    In regard to the increase in the life expectancy of IKE, well you just need to be aware that this could allow keys to be discovered since these are not renegotiated unless the tunnel is down on the level of IKE. Other than that I don't see why this would affect you.

  • Cisco ASA and AnyConnect VPN certificate error

    Hello

    I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:

    I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?

    Hello

    This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
    Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.

    Here is a document that you can refer to create a self-signed certificate.
    https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPN

    Kind regards
    Dinesh Moudgil

    PS Please note the useful messages.

  • SSL VPN from Cisco ASA and ACS 5.1 change password

    Dear Sir.

    I am tring configure ASA to change the local password on ACS 5.1. When the user access with ssl vpn if the ACS 5.1 password expiration date. ASA will display the dialog box or window popup to change the password. But it does not work. I'm tring to Setup with the functionality of password management on the SAA. When I enable password management it will not work and is unable to change the password. Could you tell me about this problem?

    Thank you

    Aphichat

    Dear Sir,

    I'm tring to setup ASA to change local password on ACS 5.1. When user access with ssl vpn if password on ACS 5.1 expire. ASA will show dialog box or pop-up to change password. But It don't work. I'm tring to setup with password management feature on ASA . When I enable password management it don't work and can't to change password. Could you advise me about this problem?

    Thank you

    Aphichat

    Hi Aphichat,

    Go to the password link below change promt via AEC in ASA: -.

    https://supportforums.Cisco.com/docs/doc-1328;JSESSIONID=A51E68318579261787BD60DDA0707819. Node0

    Hope to help!

    Ganesh.H

    Don't forget to note the useful message

  • IPSec VPN between Cisco ASA and Fortigate1000

    Hello

    I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...

    the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...

    The question is: How do I configure the interface on the SAA ACCORD?

    Thanks in advance, Experts...

    Kind regards...

    ASA firewall does not support the interface/GRE GRE tunnel.

    If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.

    If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

    Hope that helps.

  • Problem Cisco ASA and downloadable ACLs

    Hi all

    Can someone shed some light on how configure ACS for acl user base download.

    We used the TACCAS for remote access user authentication.

    I need a config on ASA or should I just set up the strategy of /authorisation element profile and link the user profile?

    Thanks in advance

    Example of configuration.

  • Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.

    I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...

    Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.

    If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "

    One way is not good and the other real harm.

  • IPSEC not Pkts on Cisco ASA

    Hi, please I need a help.

    I have an IPSEC tunnel with my Cisco ASA and a PFsense Peer, VPN is to include phase 2.

    But I could not send pkts on this VPN.

    My internal network - 10.2.0.0/17, 172.31.2.2/32 customer network

    ==========================

    FW - counterpart of the ipsec VPN - 01 # sho 177.154.83.34
    address of the peers: 177.154.83.34
    Tag crypto map: outside_map0, seq num: 4, local addr: 200.243.146.20

    access extensive list ip 10.2.0.0 outside_cryptomap_8 allow 255.255.128.0 host 172.31.2.2
    local ident (addr, mask, prot, port): (10.2.0.0/255.255.128.0/0/0)
    Remote ident (addr, mask, prot, port): (172.31.2.2/255.255.255.255/0/0)
    current_peer: 177.154.83.34

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
          #pkts decaps: 2957, #pkts decrypt: 2957, #pkts check: 2957
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 1

    local crypto endpt. : 200.243.146.20/0, remote Start crypto. : 177.154.83.34/0
    Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
    current outbound SPI: C1A13463
    current inbound SPI: 5B6B0EAB

    SAS of the esp on arrival:
    SPI: 0x5B6B0EAB (1533742763)
    transform: aes-256-esp esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 9179136, crypto-card: outside_map0
    calendar of his: service life remaining key (s): 858
    Size IV: 16 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0xFFFFFFFF to 0xFFFFFFFF
    outgoing esp sas:
    SPI: 0xC1A13463 (3248567395)
    transform: aes-256-esp esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 9179136, crypto-card: outside_map0
    calendar of his: service life remaining key (s): 858
    Size IV: 16 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    ===========================

    Entry packet - trace FW-VPN-01 # outside icmp 10.2.110.10 1 172.31.2.2 0

    Phase: 1
    Type:-ROUTE SEARCH
    Subtype: entry
    Result: ALLOW
    Config:
    Additional information:
    in 0.0.0.0 0.0.0.0 outdoors

    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: DECLINE
    Config:
    Implicit rule
    Additional information:

    Result:
    input interface: outdoors
    entry status: to the top
    entry-line-status: to the top
    output interface: outside
    the status of the output: to the top
    output-line-status: to the top
    Action: drop
    Drop-reason: flow (acl-drop) is denied by the configured rule

    ===============================

    FW-VPN-01 # sho running-config | 177.154.83.34 Inc.
    outside_map0 card crypto 4 peers set 177.154.83.34
    internal GroupPolicy_177.154.83.34 group strategy
    attributes of Group Policy GroupPolicy_177.154.83.34
    tunnel-group 177.154.83.34 type ipsec-l2l
    tunnel-group 177.154.83.34 general-attributes
    Group - default policy - GroupPolicy_177.154.83.34
    IPSec-attributes tunnel-group 177.154.83.34

    ==============================

    FW-VPN-01 # sho running-config | 172.31.2.2 Inc.
    network 172.31.2.2_32 object
    Home 172.31.2.2
    access-list sheep extended 10.2.0.0 ip allow 255.255.128.0 host 172.31.2.2
    access extensive list ip 10.2.0.0 inside_access_in allow 255.255.128.0 object 172.31.2.2_32
    permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_5
    permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_8
    NAT (inside, all) source 10.2.0.0_17 destination 10.2.0.0_17 static static 172.31.2.2_32 172.31.2.2_32 non-proxy-arp-search to itinerary

    so you see the packets traverse your inside interface but no response back. Please check if you have a route to 172.31.2.2 host in your internal network pointing traffic to the ASA.

    the package shows plotter drop because you run of out-of-in and in this case, you must specifically that traffic on the acl allow external interface. When the real traffic arrives through vpn, it checks for sysopt and then the interface access list is bypassed. but when you do a package tracer, simulated package does not in reality of vpn and therefore we have that allow outside interface acl for package tarcer to enable.

  • Management of Cisco ASA

    Hello

    We have about 50 + Cisco ASA and want to have centralized management software similar to Checkpoint-> Provider1 or McAfee Control Center or Fortinet-> Manager Forti.

    Already, we have CiscoWorks, but need something special to the firewall with firewall features, not only the backup media on the configurations such as CiscoWorks.

    Please advise what is the best option.

    Thank you

    I have it all running here to test, but it's the PRSM questions:

    Q. what ASA-X models make this application support?

    A. This tool will support all devices of the ASA - X ASA Software version 9.0 or higher. Please note that ASA 5505 is not supported by this tool.

    The whole FAQ speaks only ASA - X and not the ASAs inherited.

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5739/ps12635/qa_c67-713759.html

  • Cisco ASA 5510 VPN with PIX 515

    Hello

    I have VPN between Cisco ASA and Cisco PIX.

    I saw in my syslog server this error that appears once a day, more or less:

    Received a package encrypted with any HIS correspondent, drop

    I ve seen issue in another post, but in none of then the solution.

    Here are my files from the firewall configuration:

    Output from the command: 'show running-config '.

    : Saved
    :
    ASA Version 8.2 (1)
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
    card crypto WAN_map2 2 set pfs
    card crypto WAN_map2 2 peer 62.80.XX game. XX
    map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
    card crypto WAN_map2 2 defined security-association 2700 seconds life
    card crypto WAN_map2 2 set nat-t-disable
    card crypto WAN_map2 WAN interface
    enable LAN crypto ISAKMP
    ISAKMP crypto enable WAN
    crypto ISAKMP policy 1
    preshared authentication
    the Encryption
    md5 hash
    Group 5
    lifetime 28800
    No encryption isakmp nat-traversal
    tunnel-group 62.80.XX. XX type ipsec-l2l
    tunnel-group 62.80.XX. IPSec-attributes of XX
    pre-shared-key *.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    8.0 (4) version PIX
    !
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
    card encryption VPN_map2 3 set pfs
    card crypto VPN_map2 3 peer 194.30.XX game. XX
    VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
    card encryption VPN_map2 3 defined security-association life seconds 2700
    card encryption VPN_map2 3 set security-association kilobytes of life 4608000
    card VPN_map2 3 set nat-t-disable encryption
    VPN crypto map VPN_map2 interface
    crypto ISAKMP enable VPN
    crypto ISAKMP allow inside
    crypto ISAKMP policy 30
    preshared authentication
    the Encryption
    md5 hash
    Group 5
    lifetime 28800
    No encryption isakmp nat-traversal
    ISAKMP crypto am - disable
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec
    tunnel-group 194.30.XX. XX type ipsec-l2l
    tunnel-group 194.30.XX. IPSec-attributes of XX
    pre-shared-key *.

    If you need more information dedailed ask me questions.

    Thanks in advance for your help.

    Javi

    Hi Javi,

    Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426

    Thank you and best regards,

    Assia

  • Private of IPSec VPN-private network between ASA and router

    Hello community,

    This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch

    Headquarters ASA summary.

    Peer IP: 111.111.111.111

    Local network: 10.0.0.0

    Branch

    Peer IP: 123.123.123.123

    LAN: 192.168.1.0/24

    Please can someone help me set up the vpn.

    Hello

    This guide covers exactly what you need:

    Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html

    Tunnel VPN - ASA to the router configuration:

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM

    Kind regards

    Jimmy

  • Routing with Cisco ASA 5520 VPN

    I have installed IPsec vpn remote users in the Cisco ASA 5520 using RADIUS in my main network. Works very well. I have a site to my Cisco ASA5520 tunnels going to other sites, some of the tunnels have Cisco ASA and some have SonicWalls. I wish that my users VPN remote IPSec to be able to navigate in these tunnels is a site to access remote subnets attached to these tunnels. Do I need to use a combination of routing and the ACL? Or can I just use ACL only? Or just use routing only?

    Thank you

    Carlos

    Hello

    The key to set up here is the two ACL of VPN L2L end points that determine the 'interesting' traffic to connect VPN L2L. You will also need to confirm that the connection of the VPN Client is configured so that traffic to the remote sites have sent to the connection of the VPN client. There are also other things that you should check on your ASA plant

    Here most of the things you usually have to confirm

    • Set up 'permit same-security-traffic intra-interface' if it is already present in your configuration

      • This setting will allow connections to form between the hosts that are connected to the same interface on the ASA. In this case, applies because the VPN client users are connected to the interface 'outside' of the ASA and also remote sites are connected to the ASA to "external". If the traffic between the remote VPN Client and VPN L2L sites will be to enter and exit the same interface
    • You will need to check how the customer if configured VPN connection. Split or full Tunnel tunnel
      • If the connection of the VPN Client is configured as Split Tunnel then you need to add all the networks from the remote to the Split Tunnel, so that the connections between the VPN Client is transmitted to the ASA and from there connections VPN L2L
      • If the connection of the VPN Client is configured as full Tunnel, then there no problem that all traffic is transferred to the Client VPN connection all its assets
    • Define the VPN pool in the ACL of VPN L2L
      • You should make sure that the pool network VPN Client is defined in the ACL that define 'interesting' traffic to connect VPN L2L. So, you need to add the pool VPN VPN L2L configurations on the sites of Central America and remote control
    • Configure NAT0 / NAT exempt for remote VPN Client to L2L VPN Site traffic at both ends of the VPN L2L
      • You must ensure that the NAT0 / exempt NAT rules exist for the VPN Client for Remote Site traffic. This will have to be configured on the SAA "outside" interface. Format of configuration varies naturally a bit on the ASA Central his software level.

    These should be the most common things to set up and confirm for traffic to flow between the VPN Client and Remote Sites

    Hope this helps please rate if yes or ask more if necessary.

    -Jouni

Maybe you are looking for