Re: ASA5508 VPN to another ASA Hosts

Fotiosmark · ‎10-23-2018

Hello

I am trying to achieve something complicated (for me atleast) and I was wondering If someone can assist me.

Simple diagram,

ASA1 -----VPN------ASA2------VPN-------VPN ASA3

Lan1 LAN2 LAN3 hosts

ASA2 hosts can communicate with ASA1 hosts and with ASA3 hosts. What I am trying to do is to make communication from ASA3 hosts to ASA1 hosts through out ASA2 (make any sense?)

Can anyone give me an idea on how to do that?

Can I simply make the objects on ASA2 (for ASA1 hosts and ASA3 hosts) and configure ACLs.

So therefore the tunner between ASA3 and ASA2 will be active, but hosts from ASA3 will be able to reach ASA1

Thanks in advance

I always rate :)

Seb Rupik · ‎10-23-2018

Hi there,

Assuming a simple network with no NAT, then it would simply be a case of defining ACLs on ASA2 which would permit LAN1 and LAN3 to communicate.

To make the solution more scalable you would typically create an IPSec tunnel between ASA1 and ASA3, the benefit here is that ASA2 no longer needs to be configured with ACLs to permit the various flows between the VLANs. Just a single ACL to permit the tunnel.

Crypto maps would be placed on the interfaces connecting towards ASA2 which would encapsulate to LAN1 <-> LAN3 flows.

Cheers,

Seb.

Fotiosmark · ‎10-23-2018

Yes, that was my reply also. But you see, they want their traffic to pass though ASA2 :)
So I am guessing since ASA2 can communicate with ASA1 and ASA3, its a matter of implementing ACLs on ASA2 for Hosts on ASA3 and ASA1. Right?

GioGonza · ‎10-23-2018

Hello @Fotiosmark,

Yes, you need to apply the ACL but on all of them, this is an example.

ASA1:

ACL from ASA1-subnet to ASA3-subnet

ASA2:

On crypto sequence to ASA1

ACL from ASA3-subnet to ASA1-subnet

On crypto sequence to ASA3

ACL from ASA1-subnet to ASA3-subnet

ASA3:

ACL from ASA3-subnet to ASA1-subnet

Obviously you need to take care for the NAT Exemption on ASA1 and ASA3, also on ASA2 check if "same-security-traffic" is enabled, look with this command show run | in same-security -traffic

That should be all,

HTH

Gio

Seb Rupik · ‎10-23-2018

Yes, if they want the traffic to pass through ASA2 'in the clear' then you will need to configure ACLs that will permit all flows (either IP, or specific TCP/UDP) between LAN1 and LAN3 hosts.

cheers,

Seb.

GioGonza · ‎10-23-2018

Hello @Fotiosmark,

You can follow this guide and you should be able to make the changes properly to make it work, the trick is on the "Hub" device and for information purposes, Cisco refers to this configuration as "VPN Spoke to Spoke"... https://community.cisco.com/t5/security-documents/cisco-asa-vpn-spoke-to-spoke-communication-via-the-hub/ta-p/3154011

If you like, you can upload your sanitized configuration in here and we can take a look.

HTH

Gio

Fotiosmark · ‎10-23-2018

seems that https://community.cisco.com/t5/security-documents/cisco-asa-vpn-spoke-to-spoke-communication-via-the-hub/ta-p/3154011 might do it.
I will need to try it though and come back. I only have access to Spoke1 and the Hub (as on the link). Spoke2 need to be configured from the other side.

Fotiosmark · ‎10-25-2018

anyhow, they wanted to use Public IPs thats why they had to go through another ASA (the Hub is using the publics) therefore it hits a CEntos and they made a proxy on the centos to forward traffic to the other side.
The thing is that we can contact the other side, but they can't reach us (and I only have access to the two ASA not the third one which is a Huawei Firewall)