Dear,
I want to use ASA B as a forwarder between ASA A and ASA C so that intranet A is connected securely from intranet C, something likes:
intranet A <-- ASA A --> internet <-- ASA B --> internet <-- ASA C --> intranet C
because connections between A and B and between B and C are good, but connections between A and C are bad.
I just completed the IPSec settings between A and B and between B and C, but how should I tell ASA A, B, and C to work like this?
thanks a lot.
Solved! Go to Solution.
Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?
"same-security-traffic permit intra-interface"
In this scenario it's all about configuring the right IPSec-proxy-IDs (crypto-ACLs):
If A, B and C are the networks behind each ASA, then you need the following crypto ACLs:
ASA A:
access-list VPN-AtoB permit ip A B
access-list VPN-AtoB permit ip A C
ASA B:
access-list VPN-BtoA permit ip B A
access-list VPN-BtoA permit ip C A
access-list VPN-BtoC permit ip B C
access-list VPN-BtoC permit ip A C
ASA C:
access-list VPN-CtoB permit ip C B
access-list VPN-CtoB permit ip C A
Hi Ling,
All you need is to allow the VPN traffic between A and C. As i can say you need to permit the VPN Ports bidirectional. Since ASA A to ASA C via ASA B and ASA C to ASA A via ASA B. So for example. If ASA A is trying for a IPSEC traffic with ASA C on ports udp500,4500 then ASA B should not block anything to allow the IPSEC traffic. If it is blocking... then there will be an issue...
Please do rate if the given information helps.
By
Karthik
Thanks for all answers, but it is not working
the common setting on all ASAs are
object-group network intra_asa550530
network-object 192.168.30.0 255.255.255.0
object-group network intra_asa550550
network-object 192.168.50.0 255.255.255.0
object-group network intra_asa550570
network-object 192.168.70.0 255.255.255.0
and the settings on ASA A(50)
access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550530
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 1.1.30.5
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
on ASA B(30, the forwarder)
access-list encrypt_acl50 extended permit ip object-group intra_asa550530 object-group intra_asa550550
access-list encrypt_acl70 extended permit ip object-group intra_asa550530 object-group intra_asa550570
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSec_map 50 match address encrypt_acl50
crypto map IPSec_map 50 set peer 1.1.50.5
crypto map IPSec_map 50 set transform-set myset
crypto map IPSec_map 70 match address encrypt_acl70
crypto map IPSec_map 70 set peer 1.1.70.5
crypto map IPSec_map 70 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
on ASA C(70)
access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550530
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 1.1.30.5
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
I can ping from B to A and B to C by these settings, then I add the following:
on ASA A(50), allow from A to C
access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550570
on ASA B(30, the forwarder), allow from C to A and from A to C
access-list encrypt_acl50 extended permit ip object-group intra_asa550570 object-group intra_asa550550
access-list encrypt_acl70 extended permit ip object-group intra_asa550550 object-group intra_asa550570
on ASA C(70) allow from C to A
access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550550
but it is still not working
Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?
"same-security-traffic permit intra-interface"
Thanks karsten!! the trick is same-security-traffic permit intra-interface!!