Solved: Site to Site to Site VPNs

microensure · ‎01-15-2019

I have 3 sites A, B, C all running Cisco Asa 5505s, I have VPN tunnels between all 3 Sites and I am able to pass traffic from A to C via B.

But what I am not able to achieve is also get traffic from B to C through the same VPN as the A to C traffic.

I sure this is totally possible but I have tried and tried and keep hitting a brick wall.

Any pointers would be appreciated. (See diagram of what I am trying to achieve.

Seb Rupik · ‎01-15-2019

Make the following changes:

!
access-list Outside_cryptomap_1 extended permit ip 10.60.2.0 255.255.255.0 10.13.1.0 255.255.255.0
!
access-list Outside_cryptomap_5 extended permit ip 10.60.2.0 255.255.255.0 10.13.1.0 255.255.255.0
!

You also need to configure NONAT (NAT exemption) for traffic B -> A /C

!
object network OBJ-10.60.2.0-24
  subnet 10.60.2.0 255.255.255.0
!
nat (Internal,Outside) 1 source static OBJ-10.60.2.0-24 OBJ-10.60.2.0-24 destination static OBJ-10.13.1.0-24 OBJ-10.13.1.0-24 no-proxy-arp description NONAT
!
nat (Internal,Outside) 2 source static OBJ-10.60.2.0-24 OBJ-10.60.2.0-24 destination static OBJ-10.23.1.0-24 OBJ-10.23.1.0-24 no-proxy-arp description NONAT
!

You need to make similar changes to site-A and site-B to ensure the return traffic to site-B is not NAT’d and the picked up by the crypto ACL

cheers,

Seb.

View solution in original post

Seb Rupik · ‎01-15-2019

Hi there,

Can you share the crypto map config from ASA-B?

Out of interest why not create a full mesh of VPNs? Using site B as transit for site A and site C creates a single point of failure.

cheers,

Seb.

microensure · ‎01-15-2019

Hi, Thanks for the reply, Basically Im working with a 3rd party (Site C) which we need to connect to and their policy is not to give more than 1 VPN tunnel even though we have pushed for 2.

So I have been working on this solution, we understand it creates a single point failure at B but they will not budge on their policy

See attached

Seb Rupik · ‎01-15-2019

Can you elaborate on which source/ destination subnets belong to which site.

It looks like the ACLs configured on ASA-B do not list the site-B local subnet in the ACLs used to send traffic to Site-A and Site-C.

Any chance of attaching the running config for site-B. My asdm-fu is pretty weak!

microensure · ‎01-15-2019

Of course:

Site A - 10.13.1.0 255.255.255.0

Site B - 10.60.2.0 255.255.255.0

Site C - 10.23.1.0 255.255.255.0

I did try adding in Site B to ACLs etc but was unsuccessful so removed it all and went back to the start.

Seb Rupik · ‎01-15-2019

Hmm well that is what's missing.

Did you make the ACL adjustment at both ends? The VPN ACL at site-C listing both 10.13.1.0/24 and 10.60.2.0/24 as destinations?

microensure · ‎01-15-2019

!
interface GigabitEthernet0/0
nameif Internal
security-level 100
ip address 10.60.1.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ1
security-level 50
ip address 10.60.2.5 255.255.255.0
!
!
interface Management0/0
nameif Outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 168.63.129.16
name-server 10.60.1.7
name-server 10.50.1.9
same-security-traffic permit intra-interface
object network OBJ-10.23.1.0-24
subnet 10.23.1.0 255.255.255.0
object network OBJ-10.13.1.0-24
subnet 10.13.1.0 255.255.255.0
object-group network Internal-Network
network-object 10.60.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
service-object icmp
object-group network DMZ1-Network
network-object 10.60.2.0 255.255.255.0
object-group network DMZ2-Network
network-object 10.60.3.0 255.255.255.0
access-list DMZ1_access_in extended permit ip 10.60.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list DMZ1_access_in extended permit ip object-group DM_INLINE_NETWORK_4 any
access-list DMZ1_access_in extended deny ip object-group DM_INLINE_NETWORK_5 10.60.1.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 10.23.1.0 255.255.255.0 10.13.1.0 255.255.255.0
access-list DMZ2_access_in extended permit ip any any
access-list Internal_access_in extended permit ip any any
access-list OUTSIDE-NAT0 remark NAT0 rule for C to A traffic
access-list OUTSIDE-NAT0 extended permit ip 10.23.1.0 255.255.255.0 10.13.1.0 255.255.255.0
access-list Outside_cryptomap_3 extended permit ip 10.13.1.0 255.255.255.0 10.23.1.0 255.255.255.0
access-list Outside_cryptomap_5 extended permit ip 10.13.1.0 255.255.255.0 10.23.1.0 255.255.255.0
pager lines 23
logging enable
logging asdm informational
mtu Internal 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu Outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Outside,any) source static OBJ-10.23.1.0-24 OBJ-10.23.1.0-24 destination static OBJ-10.13.1.0-24 OBJ-10.13.1.0-24 no-proxy-arp description NONAT
nat (DMZ1,Internal) source static DMZ1-Network DMZ1-Network destination static Internal-Network Internal-Network
nat (Internal,Outside) source dynamic any interface
nat (DMZ1,Outside) source dynamic any interface
access-group Internal_access_in in interface Internal
access-group DMZ1_access_in in interface DMZ1
access-group DMZ2_access_in in interface DMZ2
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.60.4.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.60.2.0 255.255.255.0 DMZ1
http 10.60.1.0 255.255.255.0 Internal
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set peer 41.73.158.134
crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 3 match address Outside_cryptomap_5
crypto map Outside_map 3 set peer 180.151.84.210
crypto map Outside_map 3 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_41.73.158.134 internal
group-policy GroupPolicy_41.73.158.134 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_180.151.84.210 internal
group-policy GroupPolicy_180.151.84.210 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 41.73.158.134 general-attributes
default-group-policy GroupPolicy_41.73.158.134
tunnel-group 41.73.158.134 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 180.151.84.210 type ipsec-l2l
tunnel-group 180.151.84.210 general-attributes
default-group-policy GroupPolicy_180.151.84.210
tunnel-group 180.151.84.210 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c54e36d8148b57d12d545b3519264357
: end

microensure · ‎01-15-2019

Hi Seb,

Dont worry I have just solved it!!!!

Admittedly you pushed me in the right direction so thank you :)

Seb Rupik · ‎01-15-2019

Make the following changes:

!
access-list Outside_cryptomap_1 extended permit ip 10.60.2.0 255.255.255.0 10.13.1.0 255.255.255.0
!
access-list Outside_cryptomap_5 extended permit ip 10.60.2.0 255.255.255.0 10.13.1.0 255.255.255.0
!

You also need to configure NONAT (NAT exemption) for traffic B -> A /C

!
object network OBJ-10.60.2.0-24
  subnet 10.60.2.0 255.255.255.0
!
nat (Internal,Outside) 1 source static OBJ-10.60.2.0-24 OBJ-10.60.2.0-24 destination static OBJ-10.13.1.0-24 OBJ-10.13.1.0-24 no-proxy-arp description NONAT
!
nat (Internal,Outside) 2 source static OBJ-10.60.2.0-24 OBJ-10.60.2.0-24 destination static OBJ-10.23.1.0-24 OBJ-10.23.1.0-24 no-proxy-arp description NONAT
!

You need to make similar changes to site-A and site-B to ensure the return traffic to site-B is not NAT’d and the picked up by the crypto ACL

cheers,

Seb.