cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
460
Views
0
Helpful
3
Replies

How to route traffic between 2 Seperate VPN's (ASA 8.2)

sbrowne9111
Level 1
Level 1

Hi there I have 2 separate VPN tunnels from my ASA at present up and running. One VPN to a 3rd party and the other to cloud Service.  I want to be able to allow the 3rd part VPN trafffic to also be able to get to Cloud network over that other VPN tunnel and same with the Cloud traffic should be able to get back to the 3rd Party network.

 

CloudVPN<---->ASA<------->3dPartyVPN

Traffic should be able to flow from cloud through my ASA over to the 3rd PartyVPN

 

Do i need to create a static route on the ASA and or Ammend ACL + NAT mappings or add each others subnets to the opposite VPN tunnels.  Config is below for the ACL and NAT. Im new to ASA config and this is v 8.2 which is making is trickier. I no there is 2 object groups with same details but I was just trying to keep everything separate.

 

If you need anymore let me know.....

 

object-group network Cloud
 network-object 10.100.1.0 255.255.255.0

object-group network 3rdParty
 network-object 172.16.55.0 255.255.255.0
 network-object 172.16.129.0 255.255.255.0

object-group network 3rdParty#2
 network-object 172.16.129.0 255.255.255.0

object-group network BED-LAN
 network-object bed-Lan 255.255.255.0

 

access-list inside-no-nat extended permit ip object-group BED-LAN object-group 3rdParty#2

access-list BED-LIberty-VPN extended permit ip object-group BED-LAN object-group 3rdParty#2

 

access-list inside-no-nat extended permit ip object-group 3rdParty object-group Cloud

access-list azure-vpn-acl extended permit ip object-group 3rdParty object-group Cloud

nat (inside) 0 access-list inside-no-nat
nat (inside) 10 0.0.0.0 0.0.0.0

 

crypto map BED-VPN-Connections 20 match address BED-LIberty-VPN
crypto map BED-VPN-Connections 20 set pfs
crypto map BED-VPN-Connections 20 set peer *******
crypto map BED-VPN-Connections 20 set transform-set ESP-AES256-MD5 ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-128-MD5 ESP-3DES-MD5
crypto map BED-VPN-Connections 20 set security-association lifetime kilobytes 4608000

crypto map BED-VPN-Connections 50 match address azure-vpn-acl
crypto map BED-VPN-Connections 50 set peer ******
crypto map BED-VPN-Connections 50 set transform-set azure-ipsec-proposal-set

3 Replies 3

Abaji Rawool
Level 3
Level 3

Hi,

This will be helpful :https://supportforums.cisco.com/document/12015091/cisco-asa-vpn-spoke-spoke-communication-hub

For nat you can use

nat (outside) 0  access-list <list for traffic between two spokes>

HTH

Abaji.

 

 

 

Perform the NAT 0 on the outside interface then and not on the inside? Or both?

I hope you reviewed the link, nat exempt on outside is for traffic between two spokes and nat exempt on inside is traffic from ASA to the respective spokes

 

HTH

Abaji.