Cisco Community
English
Register
ANNOUNCEMENT - Upcoming Changes in the email address of Community email notifications - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
734
Views
8
Helpful
5
Replies
Highlighted
gamecompany
Beginner
Beginner
‎08-03-2012 03:58 AM
‎08-03-2012 03:58 AM

ASA 5500 as an IPSec forwarder

Dear,

I want to use ASA B as a forwarder between ASA A and ASA C so that intranet A is connected securely from intranet C, something likes:

intranet A <-- ASA A --> internet <-- ASA B --> internet <-- ASA C --> intranet C

because connections between A and B and between B and C are good, but connections between A and C are bad.

I just completed the IPSec settings between A and B and between B and C, but how should I tell ASA A, B, and C to work like this?

thanks a lot.

Labels:
Everyone's tags (6)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
‎08-03-2012 06:48 AM
‎08-03-2012 06:48 AM

ASA 5500 as an IPSec forwarder

Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?

"same-security-traffic permit intra-interface"


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.

View solution in original post

0 Helpful
Reply
5 REPLIES 5
Highlighted
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
‎08-03-2012 05:10 AM
‎08-03-2012 05:10 AM

Re: ASA 5500 as an IPSec forwarder

In this scenario it's all about configuring the right IPSec-proxy-IDs (crypto-ACLs):

If A, B and C are the networks behind each ASA, then you need the following crypto ACLs:

ASA A:

access-list VPN-AtoB permit ip A B

access-list VPN-AtoB permit ip A C

ASA B:

access-list VPN-BtoA permit ip B A

access-list VPN-BtoA permit ip C A

access-list VPN-BtoC permit ip B C

access-list VPN-BtoC permit ip A C

ASA C:

access-list VPN-CtoB permit ip C B

access-list VPN-CtoB permit ip C A


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.
Reply
Highlighted
nkarthikeyan
Rising star
Rising star
‎08-03-2012 05:12 AM
‎08-03-2012 05:12 AM

ASA 5500 as an IPSec forwarder

Hi Ling,

All you need is to allow the VPN traffic between A and C. As i can say you need to permit the VPN Ports bidirectional. Since ASA A to ASA C via ASA B and ASA C to ASA A via ASA B. So for example. If ASA A is trying for a IPSEC traffic with ASA C on ports udp500,4500 then ASA B should not block anything to allow the IPSEC traffic. If it is blocking... then there will be an issue...

Please do rate if the given information helps.

By

Karthik

Reply
Highlighted
gamecompany
Beginner
Beginner
‎08-03-2012 06:37 AM
‎08-03-2012 06:37 AM

ASA 5500 as an IPSec forwarder

Thanks for all answers, but it is not working

the common setting on all ASAs are

object-group network intra_asa550530

network-object 192.168.30.0 255.255.255.0

object-group network intra_asa550550

network-object 192.168.50.0 255.255.255.0

object-group network intra_asa550570

network-object 192.168.70.0 255.255.255.0

and the settings on ASA A(50)

access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550530

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 1.1.30.5

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

on ASA B(30, the forwarder)

access-list encrypt_acl50 extended permit ip object-group intra_asa550530 object-group intra_asa550550

access-list encrypt_acl70 extended permit ip object-group intra_asa550530 object-group intra_asa550570

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 50 match address encrypt_acl50

crypto map IPSec_map 50 set peer 1.1.50.5

crypto map IPSec_map 50 set transform-set myset

crypto map IPSec_map 70 match address encrypt_acl70

crypto map IPSec_map 70 set peer 1.1.70.5

crypto map IPSec_map 70 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

on ASA C(70)

access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550530

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 1.1.30.5

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

I can ping from B to A and B to C by these settings, then I add the following:

on ASA A(50), allow from A to C

access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550570

on ASA B(30, the forwarder), allow from C to A and from A to C

access-list encrypt_acl50 extended permit ip object-group intra_asa550570 object-group intra_asa550550

access-list encrypt_acl70 extended permit ip object-group intra_asa550550 object-group intra_asa550570

on ASA C(70) allow from C to A

access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550550

but it is still not working

0 Helpful
Reply
Highlighted
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
‎08-03-2012 06:48 AM
‎08-03-2012 06:48 AM

ASA 5500 as an IPSec forwarder

Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?

"same-security-traffic permit intra-interface"


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.

View solution in original post

0 Helpful
Reply
Highlighted
gamecompany
Beginner
Beginner
‎08-05-2012 08:39 PM
‎08-05-2012 08:39 PM

ASA 5500 as an IPSec forwarder

Thanks karsten!! the trick is same-security-traffic permit intra-interface!!

0 Helpful
Reply
Latest Contents
Using Stealthwatch to Monitor IOT devices for exploitation, ...
Created by pejohns2 on 07-02-2020 09:08 AM
0
0
0
0
Stealthwatch Enterprise can be leveraged to monitor vulnerable devices, and alert on potential exploitation by bad actors looking to exploit Ripple20 and other potential vulnerabilities. Note that the concepts and procedures outlined here can be used for... view more
Using Stealthwatch to monitor and alert on suspicious/out-of...
Created by pejohns2 on 07-02-2020 06:23 AM
0
0
0
0
The following is useful to those entities interested in monitoring appropriate usage of Cisco WebEx resources within their environments, as well as those interested in tracking additional metrics around usage of the WebEx service. The relevant supporting... view more
Activated the SecureX ribbon with the wrong account in AMP, ...
Created by diddly on 07-01-2020 05:15 PM
0
0
0
0
Question I'm using AMP, and when I activated the SecureX Ribbon, I mistakenly used the wrong account to connect to SecureX. Now my SecureX Ribbon is connected to the wrong account. How do I fix it? Answer You can clear the SecureX Authorizatio... view more
Activated the SecureX ribbon with the wrong login account in...
Created by diddly on 07-01-2020 11:00 AM
0
0
0
0
Question I'm using Umbrella, and when I activated the Ribbon, I mistakenly used the wrong account to connect to SecureX. Now my SecureX Ribbon is connected to the wrong account. How do I fix it? Answer You can clear the SecureX Authorization for t... view more
Invalid username or password for dot1x endpoint
Created by getaway51 on 07-01-2020 09:26 AM
0
0
0
0
Hi, I saw certain endpoint running state is Unauthorized, UZ. Therefore I check in ISE found some details which I not sure related to endpoint being UZ or not , which is Invalid username or password under context endpoint. I do see the cert... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners

Follow our Social Media Channels