Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
5
Helpful
3
Replies

VPN Site to Site and a site

Go to solution
mohamed.ali
Level 1
Level 1

‎01-08-2018 03:43 AM - edited ‎03-12-2019 04:53 AM

Dears,

let me explain a brief of my topology,

Untitledss.png 

 

 

there is an active IP sec tunnel between the ROuter and ASA,

and there is another IPsec tunnel with the middle ASA and the right ASA,

 

my point is the local IP in the router 10.10.10.2 need to contact 172.16.204.55

 

what is the need configure need?

I added the IPs to each one.

as well what can I do to the middle ASA 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-08-2018 03:52 AM

To sum it up you would need to do the following:

- add the corresponding destinations to the crypto acl for the end devices (router and asa)

- the go through asa will have the necessary source and destination added to the crypo acls

- route and nat in order to send the packets out the correct interface and with the correct IP

- the go through asa will have to accept and send packets coming in the same interface: same-security-traffic permit intra-interface

Here is a config guide:

https://supportforums.cisco.com/t5/security-documents/how-to-configure-site-to-site-vpn-with-hairpinning-on-cisco-asa/ta-p/3157388

 

HTH

Bogdan

View solution in original post

3 Replies 3

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-08-2018 03:52 AM

To sum it up you would need to do the following:

- add the corresponding destinations to the crypto acl for the end devices (router and asa)

- the go through asa will have the necessary source and destination added to the crypo acls

- route and nat in order to send the packets out the correct interface and with the correct IP

- the go through asa will have to accept and send packets coming in the same interface: same-security-traffic permit intra-interface

Here is a config guide:

https://supportforums.cisco.com/t5/security-documents/how-to-configure-site-to-site-vpn-with-hairpinning-on-cisco-asa/ta-p/3157388

 

HTH

Bogdan

Go to solution
mohamed.ali
Level 1
Level 1
In response to Bogdan Nita

‎01-08-2018 04:11 AM

the first point done.
can I get more explain to the second one?
route it's needed?
also nat from to outside to outside interface?
0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to mohamed.ali

‎01-08-2018 04:23 AM

I think it is easier to explain with examples so I will use the guide for reference:

- second point:

config that should be added

access-list VPN-to-Branch1 permit ip object-group  Branch1-networks object-group Branch2-networks

access-list VPN-to-Branch2 permit ip object-group  Branch2-networks object-group Branch1-networks

already existing config:

crypto map IPSec_VPN 1 match address VPN-to-Branch1
crypto map IPSec_VPN 2 match address VPN-to-Branch2

- routing:

you have to make sure that traffic is being sent out the outside interface, if you already have default routes those are fine

 

- nat from to outside to outside

you may need to configure nat from to outside to outside to avoid translating in public IP, if that is not the case the nat from to outside to outside config can be skiped

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents