Re: VPN Question (match interesting traffic)

yun zhang · ‎07-10-2012

Dear guys

A vpn question see below text diagram

inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside

ipsec vpn tunnel ipsec vpn tunnel

we have configured interesting traffic on ASA-2 for each other on 2 side.

we can ping asa-2 inside network from asa-3 and asa-1 but Why ASA-3 inside can not access ASA-1 inside network ?

rizwanr74 · ‎07-10-2012

"Why ASA-3 inside can not access ASA-1 inside network ?"

Make sure, that you have ASA3's and ASA1's inside network segment have been incorporated (i.e. included) as source and destination pair in the crypto acl and no-nat acl in between tunnels i.e. between ASA1 to ASA3 and create only a no-nat on the ASA2 for this given source and destinations.

thanks

Rizwan Rafeek.

yun zhang · ‎07-10-2012

Yes im sure on your said

ASA1:I have add 2 acl interesing traffic to asa2 and asa3 on asa-1 which need to macth and denied traffic on nonat acl

ASA3 I have add 2 acl interesing traffic to asa1 and asa2 on asa-1 which need to macth and denied traffic on nonat acl

ASA2 I have create 2 vpn tunnel between with asa 1 and asa3 and denied source network from asa 1 and asa 3 on nonat alc and appoint interesting traffic for vpn tunnel each other .

rizwanr74 · ‎07-10-2012

Hi Yun,

You have to create a dedicated tunnel to between ASA1 and ASA3 just like a regular site to site tunnel, and you no-nat remote-peer ip addresses (i.e. ASA1's and ASA3's outside address) on ASA2.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

"

ASA1:I have add 2 acl interesing traffic to asa2 and asa3 on asa-1 which need to macth and denied traffic on nonat acl

ASA3 I have add 2 acl interesing traffic to asa1 and asa2 on asa-1 which need to macth and denied traffic on nonat acl

ASA2 I have create 2 vpn tunnel between with asa 1 and asa3 and denied source network from asa 1 and asa 3 on nonat alc and appoint interesting traffic for vpn tunnel each other .

"

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

You do not deny the traffic on the no-nat but rather permit.

thanks

yun zhang · ‎07-10-2012

Hi rizwanr74

thank you for you suggestion , because the asa-1 and asa-3 are different isp on outside port , so the network latency more than 200ms can not running voip on them.

rizwanr74 · ‎07-10-2012

Hi Yun,

Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.

Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2

Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.

Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment. See example below.

only an example, you change it to fit your network segment.

object-group network ASA1-inside

network-object 192.168.100.0 255.255.255.0

object-group network ASA3-inside

network-object 192.168.200.0 255.255.255.0

access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside

access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside

nat (outside) 0 access-list nonat-outside

Please let me know, how this coming along.

thanks

Rizwan Rafeek