07-10-2012 06:55 AM
Dear guys
A vpn question see below text diagram
inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside
ipsec vpn tunnel ipsec vpn tunnel
we have configured interesting traffic on ASA-2 for each other on 2 side.
we can ping asa-2 inside network from asa-3 and asa-1 but Why ASA-3 inside can not access ASA-1 inside network ?
07-10-2012 07:33 AM
"Why ASA-3 inside can not access ASA-1 inside network ?"
Make sure, that you have ASA3's and ASA1's inside network segment have been incorporated (i.e. included) as source and destination pair in the crypto acl and no-nat acl in between tunnels i.e. between ASA1 to ASA3 and create only a no-nat on the ASA2 for this given source and destinations.
thanks
Rizwan Rafeek.
07-10-2012 08:10 AM
Yes im sure on your said
ASA1:I have add 2 acl interesing traffic to asa2 and asa3 on asa-1 which need to macth and denied traffic on nonat acl
ASA3 I have add 2 acl interesing traffic to asa1 and asa2 on asa-1 which need to macth and denied traffic on nonat acl
ASA2 I have create 2 vpn tunnel between with asa 1 and asa3 and denied source network from asa 1 and asa 3 on nonat alc and appoint interesting traffic for vpn tunnel each other .
07-10-2012 08:27 AM
Hi Yun,
You have to create a dedicated tunnel to between ASA1 and ASA3 just like a regular site to site tunnel, and you no-nat remote-peer ip addresses (i.e. ASA1's and ASA3's outside address) on ASA2.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
"
ASA1:I have add 2 acl interesing traffic to asa2 and asa3 on asa-1 which need to macth and denied traffic on nonat acl
ASA3 I have add 2 acl interesing traffic to asa1 and asa2 on asa-1 which need to macth and denied traffic on nonat acl
ASA2 I have create 2 vpn tunnel between with asa 1 and asa3 and denied source network from asa 1 and asa 3 on nonat alc and appoint interesting traffic for vpn tunnel each other .
"
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
You do not deny the traffic on the no-nat but rather permit.
thanks
07-10-2012 05:57 PM
Hi rizwanr74
thank you for you suggestion , because the asa-1 and asa-3 are different isp on outside port , so the network latency more than 200ms can not running voip on them.
07-10-2012 07:47 PM
Hi Yun,
Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.
Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2
Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.
Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment. See example below.
only an example, you change it to fit your network segment.
object-group network ASA1-inside
network-object 192.168.100.0 255.255.255.0
object-group network ASA3-inside
network-object 192.168.200.0 255.255.255.0
access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside
access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside
nat (outside) 0 access-list nonat-outside
Please let me know, how this coming along.
thanks
Rizwan Rafeek
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: