07-10-2012 06:55 AM
Dear guys
A vpn question see below text diagram
inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside
ipsec vpn tunnel ipsec vpn tunnel
we have configured interesting traffic on ASA-2 for each other on 2 side.
we can ping asa-2 inside network from asa-3 and asa-1 but Why ASA-3 inside can not access ASA-1 inside network ?
07-10-2012 07:33 AM
"Why ASA-3 inside can not access ASA-1 inside network ?"
Make sure, that you have ASA3's and ASA1's inside network segment have been incorporated (i.e. included) as source and destination pair in the crypto acl and no-nat acl in between tunnels i.e. between ASA1 to ASA3 and create only a no-nat on the ASA2 for this given source and destinations.
thanks
Rizwan Rafeek.
07-10-2012 08:10 AM
Yes im sure on your said
ASA1:I have add 2 acl interesing traffic to asa2 and asa3 on asa-1 which need to macth and denied traffic on nonat acl
ASA3 I have add 2 acl interesing traffic to asa1 and asa2 on asa-1 which need to macth and denied traffic on nonat acl
ASA2 I have create 2 vpn tunnel between with asa 1 and asa3 and denied source network from asa 1 and asa 3 on nonat alc and appoint interesting traffic for vpn tunnel each other .
07-10-2012 08:27 AM
Hi Yun,
You have to create a dedicated tunnel to between ASA1 and ASA3 just like a regular site to site tunnel, and you no-nat remote-peer ip addresses (i.e. ASA1's and ASA3's outside address) on ASA2.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
"
ASA1:I have add 2 acl interesing traffic to asa2 and asa3 on asa-1 which need to macth and denied traffic on nonat acl
ASA3 I have add 2 acl interesing traffic to asa1 and asa2 on asa-1 which need to macth and denied traffic on nonat acl
ASA2 I have create 2 vpn tunnel between with asa 1 and asa3 and denied source network from asa 1 and asa 3 on nonat alc and appoint interesting traffic for vpn tunnel each other .
"
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
You do not deny the traffic on the no-nat but rather permit.
thanks
07-10-2012 05:57 PM
Hi rizwanr74
thank you for you suggestion , because the asa-1 and asa-3 are different isp on outside port , so the network latency more than 200ms can not running voip on them.
07-10-2012 07:47 PM
Hi Yun,
Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.
Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2
Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.
Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment. See example below.
only an example, you change it to fit your network segment.
object-group network ASA1-inside
network-object 192.168.100.0 255.255.255.0
object-group network ASA3-inside
network-object 192.168.200.0 255.255.255.0
access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside
access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside
nat (outside) 0 access-list nonat-outside
Please let me know, how this coming along.
thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide