06-11-2015 05:34 AM
Hi there I have 2 separate VPN tunnels from my ASA at present up and running. One VPN to a 3rd party and the other to cloud Service. I want to be able to allow the 3rd part VPN trafffic to also be able to get to Cloud network over that other VPN tunnel and same with the Cloud traffic should be able to get back to the 3rd Party network.
CloudVPN<---->ASA<------->3dPartyVPN
Traffic should be able to flow from cloud through my ASA over to the 3rd PartyVPN
Do i need to create a static route on the ASA and or Ammend ACL + NAT mappings or add each others subnets to the opposite VPN tunnels. Config is below for the ACL and NAT. Im new to ASA config and this is v 8.2 which is making is trickier. I no there is 2 object groups with same details but I was just trying to keep everything separate.
If you need anymore let me know.....
object-group network Cloud
network-object 10.100.1.0 255.255.255.0
object-group network 3rdParty
network-object 172.16.55.0 255.255.255.0
network-object 172.16.129.0 255.255.255.0
object-group network 3rdParty#2
network-object 172.16.129.0 255.255.255.0
object-group network BED-LAN
network-object bed-Lan 255.255.255.0
access-list inside-no-nat extended permit ip object-group BED-LAN object-group 3rdParty#2
access-list BED-LIberty-VPN extended permit ip object-group BED-LAN object-group 3rdParty#2
access-list inside-no-nat extended permit ip object-group 3rdParty object-group Cloud
access-list azure-vpn-acl extended permit ip object-group 3rdParty object-group Cloud
nat (inside) 0 access-list inside-no-nat
nat (inside) 10 0.0.0.0 0.0.0.0
crypto map BED-VPN-Connections 20 match address BED-LIberty-VPN
crypto map BED-VPN-Connections 20 set pfs
crypto map BED-VPN-Connections 20 set peer *******
crypto map BED-VPN-Connections 20 set transform-set ESP-AES256-MD5 ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-128-MD5 ESP-3DES-MD5
crypto map BED-VPN-Connections 20 set security-association lifetime kilobytes 4608000
crypto map BED-VPN-Connections 50 match address azure-vpn-acl
crypto map BED-VPN-Connections 50 set peer ******
crypto map BED-VPN-Connections 50 set transform-set azure-ipsec-proposal-set
06-11-2015 11:30 PM
Hi,
This will be helpful :https://supportforums.cisco.com/document/12015091/cisco-asa-vpn-spoke-spoke-communication-hub
For nat you can use
nat (outside) 0 access-list <list for traffic between two spokes>
HTH
Abaji.
06-12-2015 01:32 AM
Perform the NAT 0 on the outside interface then and not on the inside? Or both?
06-13-2015 01:07 AM
I hope you reviewed the link, nat exempt on outside is for traffic between two spokes and nat exempt on inside is traffic from ASA to the respective spokes
HTH
Abaji.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide