04-14-2009 05:45 AM
Hi Experts,
i have a situation where I need to configure forwarding between two VPN Tunnels terminated in the same ASA box. One VPN Tunnel will carry the incoming traffic and this traffic needs to be sent down the other VPN Tunnel in the ASA. Both the VPN Tunnels are coming in from Internet and are talking to the same peer IP in the ASA.
To detail it,
Tunnel A
source: 192.168.1.0/25
Destination: 10.1.1.0/25
Local peer: 170.252.100.20 (ASA in question)
Remote Peer: 144.36.255.254
Tunnel B
Source: 192.168.1.0/25
Destination: 10.1.1.0/25
Local Peer IP: 170.252.100.20 (ASA box in question)
Remote Peer IP: 195.75.75.1
Can this be achieved? what configurations are needed in the ASA apart from the crypto ACL entries?
Thanks in advance for your time.
Solved! Go to Solution.
04-14-2009 08:29 AM
Thought so, in that case your config is right, and you can avoid using routes on your asa since it should route based on it's default gateway, be sure to have the proper nonat rules in place and the same-security-interface permit inter-interface statement that you need.
04-14-2009 06:34 AM
Are you saying that this tunnel should receive traffic say from tunnel a an forward the reply on tunnel B? If that is the case this is not possible, only one tunnel will be used at a time.
04-14-2009 07:22 AM
This is absolutely possible...but if I were you I would make the remote networks unique.
04-14-2009 07:34 AM
For your specific scenario where both sources for tunnel A and B are the same, you can't unless you use some sort of NAT.
04-14-2009 07:53 AM
how about this configuration for the scenario in question...
In the Cisco ASA where both the VPNs terminate..
interface G0/0
name Untrust
ip address 170.252.100.20 255.255.255.248
crypto map pointAToCiscoASA_Traffic extended permit ip 10.1.1.0 255.255.255.128 192.168.1.0 255.255.255.128
crypto map CiscoASAtopointB_Traffic extended permit ip 192.168.1.0 255.255.255.128 10.1.1.0 255.255.255.128
crypto map Untrust_map 1 match address pointAToCiscoASA_Traffic
crypto map Untrust_map 1 set peer 144.36.255.254
crypto map Untrust_map 1 set transform set ESP-3DES-MD5
crypto map Untrust_map 2 match address CiscoASAtopointB_Traffic
crypto map Untrust_map 2 set peer 195.75.75.1
crypto map Untrust_map 2 set transform set ESP-3DES-MD5
<-- This is the interesting part...I am routing the packets towards the Tunnels Remote Peer IPs. As the ASA will know to use the VPN Tunnels to reach the Peer IPs, I believe it will send the traffic down the appropriate VPN Tunels -->
route Untrust 10.1.1.0 255.255.255.128 195.75.75.1
route Untrust 192.168.1.0 255.255.255.128 144.36.255.254
tunnel-group 144.36.255.254 type l2l
tunnel-group 144.36.255.254 ipsec-attributes
pre-shared-key *
tunnel-group 195.75.75.1 type l2l
tunnel-group 195.75.75.1 ipsec-attributes
pre-shared-key *
04-14-2009 08:03 AM
I am confused, are you saying that 192.168.1.0/24 and 10.1.1.0/25 are remote to the ASA? meaning the asa does not have any of those locally on any interface? So what you are trying to do is to pass from tunnelA to tunnelB using the ASA as a hub only?
Tell me something, in your scenario, both ip remote sites (A and B) have the same ip address? for example both have 192.168.1.0 or 10.1.1.0? or both have different ip addresses?
04-14-2009 08:20 AM
sorry for the confusion...let me try to clear it...
You are correct in your understanding...the Cisco ASA will only be the Hub...it will not have neither of the subnets locally...and i am just trying to pass the traffic from Tunnel A to Tunnel B...
Point A will have the subnet 192.168.1.0 as local subnet and Point B will have the subnet 10.1.1.0 as local subnet...
04-14-2009 08:29 AM
Thought so, in that case your config is right, and you can avoid using routes on your asa since it should route based on it's default gateway, be sure to have the proper nonat rules in place and the same-security-interface permit inter-interface statement that you need.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide