Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
1
Replies

Site2 IPSEC Tunnel to enable traffic between Site1 & Customer

MohammedAhmedAqeel7633
Level 1
Level 1

‎07-24-2019 06:20 PM

Hello Community members,

 

I need your help with a requirement that we have.

We have IPSEC Tunnels established, as below:
IPSEC Tunnel established between Site1 (Austria) & site2 (Sydney)
IPSEC Tunnel established between Site2 (Sydney) & Customer (Perth)
There is NO IPSEC Tunnel between Site1 (Austria) & Customer (Perth)

 

Customer (Perth)
Server1 : 172.25.94.4
Server2 : 172.25.94.5

 

There are 3 destination addresses in Site1 (Austria), that are required to be reachable from above Customer servers
172.27.1.5
172.28.36.102
172.28.36.208

 

Site2 (Sydney) is under subnet 192.168.171.0/24, which is allowed by Customer in their firewall

 

Situation:
Site2 (Sydney) is able to access the destination addresses in Site1 (Austria)
Site2 (Sydney) is also able to access the servers at Customer (Perth)
Customer (Perth) servers are not able to reach the destination addresses in Site1 (Austria)

 

I don't know how best i could have put this across, but I did try my best :)

I will be happy to answer any questions that could help with this.

 

Thanks in advance.

 

Regards.

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎07-24-2019 07:55 PM

Hi

You can use Sydney vpn to allow communication between Austria and Perth.

There's the nat solution but you'll need to add a subnet in your crypto acl to allow a nat 1:1.

The best solution, as you'll need to modify something, would be:
- on vpn between Austria and Sydney, add Perth subnets as destination for Austria and as source for Sydney.
- on vpn between Sydney and Perth, add Austria subnets as source for Sydney and as destination on Perth
- on Sydney, allow traffic to come in and go out the same interface (same-security-traffic permit intra-interface)
- on Sydney, configure your exempt nat by telling no nat between Austria and Perth.

That's it. It should work that way if you don't want to create a 3rd L2L between Austria and Perth.

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card