10-23-2018 06:15 AM - edited 02-21-2020 08:23 AM
Hello
I am trying to achieve something complicated (for me atleast) and I was wondering If someone can assist me.
Simple diagram,
ASA1 -----VPN------ASA2------VPN-------VPN ASA3
Lan1 LAN2 LAN3 hosts
ASA2 hosts can communicate with ASA1 hosts and with ASA3 hosts. What I am trying to do is to make communication from ASA3 hosts to ASA1 hosts through out ASA2 (make any sense?)
Can anyone give me an idea on how to do that?
Can I simply make the objects on ASA2 (for ASA1 hosts and ASA3 hosts) and configure ACLs.
So therefore the tunner between ASA3 and ASA2 will be active, but hosts from ASA3 will be able to reach ASA1
Thanks in advance
I always rate :)
10-23-2018 06:29 AM
Hi there,
Assuming a simple network with no NAT, then it would simply be a case of defining ACLs on ASA2 which would permit LAN1 and LAN3 to communicate.
To make the solution more scalable you would typically create an IPSec tunnel between ASA1 and ASA3, the benefit here is that ASA2 no longer needs to be configured with ACLs to permit the various flows between the VLANs. Just a single ACL to permit the tunnel.
Crypto maps would be placed on the interfaces connecting towards ASA2 which would encapsulate to LAN1 <-> LAN3 flows.
Cheers,
Seb.
10-23-2018 06:51 AM
10-23-2018 07:05 AM
Hello @Fotiosmark,
Yes, you need to apply the ACL but on all of them, this is an example.
ASA1:
ACL from ASA1-subnet to ASA3-subnet
ASA2:
On crypto sequence to ASA1
ACL from ASA3-subnet to ASA1-subnet
On crypto sequence to ASA3
ACL from ASA1-subnet to ASA3-subnet
ASA3:
ACL from ASA3-subnet to ASA1-subnet
Obviously you need to take care for the NAT Exemption on ASA1 and ASA3, also on ASA2 check if "same-security-traffic" is enabled, look with this command show run | in same-security -traffic
That should be all,
HTH
Gio
10-23-2018 07:12 AM
Yes, if they want the traffic to pass through ASA2 'in the clear' then you will need to configure ACLs that will permit all flows (either IP, or specific TCP/UDP) between LAN1 and LAN3 hosts.
cheers,
Seb.
10-23-2018 06:35 AM
Hello @Fotiosmark,
You can follow this guide and you should be able to make the changes properly to make it work, the trick is on the "Hub" device and for information purposes, Cisco refers to this configuration as "VPN Spoke to Spoke"... https://community.cisco.com/t5/security-documents/cisco-asa-vpn-spoke-to-spoke-communication-via-the-hub/ta-p/3154011
If you like, you can upload your sanitized configuration in here and we can take a look.
HTH
Gio
10-23-2018 07:13 AM
10-25-2018 12:09 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide