Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
941
Views
8
Helpful
5
Replies
gamecompany
Beginner
Beginner
‎08-03-2012 03:58 AM
‎08-03-2012 03:58 AM

ASA 5500 as an IPSec forwarder

Dear,

I want to use ASA B as a forwarder between ASA A and ASA C so that intranet A is connected securely from intranet C, something likes:

intranet A <-- ASA A --> internet <-- ASA B --> internet <-- ASA C --> intranet C

because connections between A and B and between B and C are good, but connections between A and C are bad.

I just completed the IPSec settings between A and B and between B and C, but how should I tell ASA A, B, and C to work like this?

thanks a lot.

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
In response to gamecompany
‎08-03-2012 06:48 AM
‎08-03-2012 06:48 AM

Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?

"same-security-traffic permit intra-interface"


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.

View solution in original post

0 Helpful
5 REPLIES 5
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
‎08-03-2012 05:10 AM
‎08-03-2012 05:10 AM

In this scenario it's all about configuring the right IPSec-proxy-IDs (crypto-ACLs):

If A, B and C are the networks behind each ASA, then you need the following crypto ACLs:

ASA A:

access-list VPN-AtoB permit ip A B

access-list VPN-AtoB permit ip A C

ASA B:

access-list VPN-BtoA permit ip B A

access-list VPN-BtoA permit ip C A

access-list VPN-BtoC permit ip B C

access-list VPN-BtoC permit ip A C

ASA C:

access-list VPN-CtoB permit ip C B

access-list VPN-CtoB permit ip C A


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.
nkarthikeyan
Rising star
Rising star
‎08-03-2012 05:12 AM
‎08-03-2012 05:12 AM

Hi Ling,

All you need is to allow the VPN traffic between A and C. As i can say you need to permit the VPN Ports bidirectional. Since ASA A to ASA C via ASA B and ASA C to ASA A via ASA B. So for example. If ASA A is trying for a IPSEC traffic with ASA C on ports udp500,4500 then ASA B should not block anything to allow the IPSEC traffic. If it is blocking... then there will be an issue...

Please do rate if the given information helps.

By

Karthik

gamecompany
Beginner
Beginner
‎08-03-2012 06:37 AM
‎08-03-2012 06:37 AM

Thanks for all answers, but it is not working

the common setting on all ASAs are

object-group network intra_asa550530

network-object 192.168.30.0 255.255.255.0

object-group network intra_asa550550

network-object 192.168.50.0 255.255.255.0

object-group network intra_asa550570

network-object 192.168.70.0 255.255.255.0

and the settings on ASA A(50)

access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550530

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 1.1.30.5

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

on ASA B(30, the forwarder)

access-list encrypt_acl50 extended permit ip object-group intra_asa550530 object-group intra_asa550550

access-list encrypt_acl70 extended permit ip object-group intra_asa550530 object-group intra_asa550570

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 50 match address encrypt_acl50

crypto map IPSec_map 50 set peer 1.1.50.5

crypto map IPSec_map 50 set transform-set myset

crypto map IPSec_map 70 match address encrypt_acl70

crypto map IPSec_map 70 set peer 1.1.70.5

crypto map IPSec_map 70 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

on ASA C(70)

access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550530

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 1.1.30.5

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

I can ping from B to A and B to C by these settings, then I add the following:

on ASA A(50), allow from A to C

access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550570

on ASA B(30, the forwarder), allow from C to A and from A to C

access-list encrypt_acl50 extended permit ip object-group intra_asa550570 object-group intra_asa550550

access-list encrypt_acl70 extended permit ip object-group intra_asa550550 object-group intra_asa550570

on ASA C(70) allow from C to A

access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550550

but it is still not working

0 Helpful
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
In response to gamecompany
‎08-03-2012 06:48 AM
‎08-03-2012 06:48 AM

Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?

"same-security-traffic permit intra-interface"


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.
0 Helpful
gamecompany
Beginner
Beginner
In response to Karsten Iwen
‎08-05-2012 08:39 PM
‎08-05-2012 08:39 PM

Thanks karsten!! the trick is same-security-traffic permit intra-interface!!

0 Helpful
Latest Contents
ISE URL Redirection on IOS-XE
Created by Mohsin_Mohamed on 05-20-2022 01:04 PM
0
0
0
0
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is... view more
Network Security All-in-one ASA FTD WSA Umbrella ISE VPN Lay...
Created by Meddane on 05-17-2022 06:18 AM
2
0
2
0
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi... view more
Understanding IP Layer Enforcement on Cisco Umbrella
Created by Meddane on 05-17-2022 03:10 AM
0
10
0
10
Cisco Umbrella is a big DNS service that provides not only the DNS resolution but also if the hosted website is trust or malicious, the idea behind the Layer DNS Security is that the modern attacks uses the DNS in the first step either to redirect the use... view more
Cisco ISE Integration With F5 BIG-IP LTM Load Balancer for G...
Created by Meddane on 05-15-2022 02:24 AM
0
0
0
0
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.   The method used for Guest Access is the Self-Registration. Healt Monitor using HTTP... view more
Cisco ASA 9.714 version SNMP not working in EVE-NG LAB Envir...
Created by waqas.muhammad49 on 05-10-2022 06:56 AM
0
0
0
0
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad