Hello Oleg, MANY THANKS, it

hans0000111 · ‎02-02-2015

Hello all,

I've got a problem, I've got two sites witch are connected with ASA 5505. Both are connected via a VPN.

Site 1 and Site 2 (Site 2 is connected via a modem to the internet).

The network from 1 and 2 are connected and see eachother.

From site 1 i've got an other VPN to a remote site (http access only). I need site 2 to connect to the network via the VPN in site 1 .

Is this possible? And how can I set this up?

Oleg Volkov · ‎02-03-2015

Yes. It is possible.

You can add inside subnet on the site 2, to access-list in the crypto map (Crypto map, that used for encrypt traffic to the remote site), on the site 1 ASA.

Also, You need to add, this subnet, to crypto map access list on the remote site.

And add, remote site inside IP, to crypto map access-list on ASA 2.

Also, You can use NAT, on the ASA1, like this:

nat(outside,outside) source dynamic NETINSIDE2 IPFROMINSIDENET1 destination static REMOTESITEINSIDEIP REMOTESITEINSIDEIP

In this case, remote host, do not need to know Inside 2 subnet.

Can You post configurations from all ASA and remote site?

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

hans0000111 · ‎02-03-2015

Hello Oleg,

Thank you for your responce. I've included both configs.

Site 1 is harlingen and site 2 is bolsward.

For site 2 it's only required that http is tunneled true (10.2.71.1)

Hans

Oleg Volkov · ‎02-03-2015

Your remote site "inside" subnets is 10.2.0.0 255.255.0.0?

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Oleg Volkov · ‎02-03-2015

Try to:

On HARLINGEN ASA:
add:

object network REMSITE_LAN
subnet 10.2.0.0 255.255.0.0

access-list outside_cryptomap_1 extended permit ip object REMSITE_LAN object Bolsward-network

select any not used IP, in local net for example 10.152.11.10:

object network LOCAL_NAT_IP
host 10.152.11.10

nat (outside,outside) source dynamic Bolsward-network LOCAL_NAT_IP destination static REMSITE_LAN REMSITE_LAN

On bolsward ASA:
add:

object network REMSITE_LAN
subnet 10.2.0.0 255.255.0.0

access-list outside_cryptomap extended permit ip 10.152.11.128 255.255.255.192 object REMSITE_LAN

nat (inside,outside) source static NETWORK_OBJ_10.152.11.128_26 NETWORK_OBJ_10.152.11.128_26 destination static REMSITE_LAN REMSITE_LAN route-lookup

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Oleg Volkov · ‎02-03-2015

But traffic from remote site to bolsward, will not be passed, without initiated from bolsward.
If You want to acces from bolsward to remote site, and also from remote site to bolsward, You can add bolsward inside subnet, to access-list on the remote site (and disable nat from Remotwe site inside net, to bolsward inside net, if needed) and access list outside_cryptomap on the HARLINGEN ASA,

access-list outside_cryptomap extended permit ip object Bolsward-network object REMSITE_LAN

and remove twice NAT:
nat (outside,outside) source dynamic Bolsward-network LOCAL_NAT_IP destination static REMSITE_LAN REMSITE_LAN

add twice nat:
nat (outside,outside) source dynamic Bolsward-network Bolsward-network destination static REMSITE_LAN REMSITE_LAN

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

hans0000111 · ‎02-03-2015

Hello Oleg,

MANY THANKS, it work.

Hans Sietsema

Site to site vpn redirect traffic