Showing results for 
Search instead for 
Did you mean: 

ASA5508 VPN to another ASA Hosts



I am trying to achieve something complicated (for me atleast) and I was wondering If someone can assist me.


Simple diagram,

ASA1 -----VPN------ASA2------VPN-------VPN ASA3

Lan1                            LAN2                                LAN3 hosts


ASA2 hosts can communicate with ASA1 hosts and with ASA3 hosts. What I am trying to do is to make communication from ASA3 hosts to ASA1 hosts through out ASA2 (make any sense?)

Can anyone give me an idea on how to do that?

Can I simply make the objects on ASA2 (for ASA1 hosts and ASA3 hosts) and configure ACLs.

So therefore the tunner between ASA3 and ASA2 will be active, but hosts from ASA3 will be able to reach ASA1


Thanks in advance

I always rate :)



7 Replies 7

Seb Rupik
VIP Advisor VIP Advisor
VIP Advisor

Hi there,

Assuming a simple network with no NAT, then it would simply be a case of defining ACLs on ASA2 which would permit LAN1 and LAN3 to communicate.

To make the solution more scalable you would typically create an IPSec tunnel between ASA1 and ASA3, the benefit here is that ASA2 no longer needs to be configured with ACLs to permit the various flows between the VLANs. Just a single ACL to permit the tunnel.


Crypto maps would be placed on the interfaces connecting towards ASA2 which would encapsulate to LAN1 <-> LAN3 flows.




Yes, that was my reply also. But you see, they want their traffic to pass though ASA2 :)
So I am guessing since ASA2 can communicate with ASA1 and ASA3, its a matter of implementing ACLs on ASA2 for Hosts on ASA3 and ASA1. Right?

Hello @Fotiosmark,


Yes, you need to apply the ACL but on all of them, this is an example.



ACL from ASA1-subnet to ASA3-subnet



On crypto sequence to ASA1

ACL from ASA3-subnet to ASA1-subnet


On crypto sequence to ASA3

ACL from ASA1-subnet to ASA3-subnet



ACL from ASA3-subnet to ASA1-subnet


Obviously you need to take care for the NAT Exemption on ASA1 and ASA3, also on ASA2 check if "same-security-traffic" is enabled, look with this command show run | in same-security -traffic


That should be all, 




Yes, if they want the traffic to pass through ASA2 'in the clear' then you will need to configure ACLs that will permit all flows (either IP, or specific TCP/UDP) between LAN1 and LAN3 hosts.





Hello @Fotiosmark


You can follow this guide and you should be able to make the changes properly to make it work, the trick is on the "Hub" device and for information purposes, Cisco refers to this configuration as "VPN Spoke to Spoke"...


If you like, you can upload your sanitized configuration in here and we can take a look. 




seems that might do it.
I will need to try it though and come back. I only have access to Spoke1 and the Hub (as on the link). Spoke2 need to be configured from the other side.

anyhow, they wanted to use Public IPs thats why they had to go through another ASA (the Hub is using the publics) therefore it hits a CEntos and they made a proxy on the centos to forward traffic to the other side.
The thing is that we can contact the other side, but they can't reach us (and I only have access to the two ASA not the third one which is a Huawei Firewall)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers