Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
186
Views
0
Helpful
3
Replies

Help with a simple 3 site VPN with an ASA and a couple of SMB routers

jm90
Beginner
Beginner

‎09-05-2016 07:13 PM

Hey guys, I'll try to describe the attached pic. I have a pretty simple 3 site VPN I'm trying to get working in my home lab. I have an ASA5505 that's connected to my home network (192.168.1.0). The outside interface connects to two small business VPN routers using L2L IPSec, I'll call these remote sites. The tunnels are established and I can ping from the home network to the remote sites and vice-versa. However, two issues:

1. RESOLVED (see my reply below): I can't ping between the two remote sites (192.168.2/24 to 192.168.3/24).

2. I can ping the Internet gateway's internal IP (192.168.1.1) from the remote sites but I can't ping anything on the Internet (nor its Internet facing interface). I do have a static route on the Internet gateway that points the remote sites' gateway to the ASA.

Relevant config from the ASA:

ciscoasa(config)# sh run access-list
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 any
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.3.0 255.255.255.0 any

ciscoasa(config)# sh run nat
nat (outside) 0 access-list 100

ciscoasa(config)# sh run crypto
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 1 match address 100
crypto map mymap 1 set peer 10.1.1.3 10.1.1.2
crypto map mymap 1 set transform-set tset
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800

ciscoasa(config)# sh run tunnel-group
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
pre-shared-key *****
tunnel-group 10.1.1.3 type ipsec-l2l
tunnel-group 10.1.1.3 ipsec-attributes
pre-shared-key *****

ciscoasa(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 10.1.1.0 255.255.255.0 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
S 192.168.2.0 255.255.255.0 [1/0] via 10.1.1.2, outside
S 192.168.3.0 255.255.255.0 [1/0] via 10.1.1.3, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, inside

ciscoasa(config)# sh vpn- l2l
Session Type: LAN-to-LAN

Connection : 10.1.1.2
Index : 29 IP Addr : 10.1.1.2
Protocol : IKE IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 0
Login Time : 14:39:28 UTC Mon Sep 5 2016
Duration : 0h:15m:19s

Connection : 10.1.1.3
Index : 30 IP Addr : 10.1.1.3
Protocol : IKE IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 0
Login Time : 14:45:28 UTC Mon Sep 5 2016
Duration : 0h:09m:19s

Labels:
Preview file
53 KB
0 Helpful
3 Replies 3

jm90
Beginner
Beginner

‎09-05-2016 07:54 PM

Well looks like I just solved the first issue by enabling intra-interface communication. I didn't know there was a global config param for that. Does this mean that access-lists don't apply and thus you can't filter traffic between the two remote sites? Let's say I only want to allow http traffic between the remote sites as an example?

same-security-traffic permit intra-interface
0 Helpful

jm90
Beginner
Beginner
In response to jm90

‎09-06-2016 01:19 PM

Any ideas guys? I'm thinking I may need some specific NAT rules to actually enable NAT'ing rather than exempting it?

0 Helpful

mibricen
Beginner
Beginner
In response to jm90

‎09-07-2016 10:22 AM

Hello JM90,

Below a link with vpn filters applicable to the group policy linked to the tunnel groups:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Regards,

Miguel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents