07-04-2007 02:54 PM - edited 03-03-2019 05:43 PM
Hi Everyone,
We have a setup on an ASA with two ipsec tunnels. One to Site A (10.0.1.x) and one to Site B (10.0.2.x), incidentally Head office where the ASA is located is 10.0.0.x, we now need to set it up so that Site A can communicate with Site B.
I have carried out some investigation and I know that I need to use the same-security-traffic permit intra-interface command to allow traffic to come in and out of the same interface but I still cant get things to work.
I configured both sites of the tunnel for Site A and Site B to allow traffic from 10.0.1.x to 10.0.x.x, 10.0.2.x to 10.0.x.x.
Actually here is the config, does anyone have any ideas?? Would really appreciate it as I am running around in circles....
same-security-traffic permit intra-interface
access-list acl-outside extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list acl-outside extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list acl-outside remark --- Permit Inbound access from Site A ---
access-list acl-outside extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list acl-outside remark --- Permit Inbound access from Site B ---
access-list acl-outside extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list acl-inside remark --- Permit Outbound Access to Site A ---
access-list acl-inside extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list acl-inside remark --- Permit Outbound Access to Site B ---
access-list acl-inside extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0
access-list vpn-siteA remark --- Encrypt traffic to Site A ---
access-list vpn-siteA extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list vpn-siteB remark --- Encrypt traffic to Site B ---
access-list vpn-siteB extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0
access-list inside_nat0_outbound remark --- NONAT for Site A ---
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound remark --- NONAT for Site B ---
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
access-group acl-outside in interface outside
access-group acl-inside in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map outside_map 20 match address vpn-siteA
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 25 match address vpn-siteB
crypto map outside_map 25 set peer x.x.x.x
crypto map outside_map 25 set transform-set ESP-3DES-SHA
crypto map outside_map 25 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
07-05-2007 04:45 AM
It looks like you may need to add the interesting traffic for the communication between the remote lans.
access-list vpn-siteA extended permit ip 10.0.2.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list vpn-siteB extended permit ip 10.0.1.0 255.255.0.0 10.0.2.0 255.255.255.0
Please rate helpful posts.
07-05-2007 05:02 AM
You will also need to add the interesting traffic to the acl's at the remote sites as well.
SiteA needs...
access-list
SiteB needs...
access-list
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide