01-19-2012 04:10 PM
Need a little direction here.
Our office currently connects to two remote offices via IPSEC LAN-to-LAN tunnels.
Tunnel 1 (Office 1 to Datacenter): 10.2.0.0/16 (remote office 1) <-> 10.1.128.0/19 (datacenter)
Tunnel 2 (Office 2 to Datacenter): 10.1.60.0/24 (remote office 2) <-> 10.1.128.0/19 (datacenter)
We've recently added a tunnel to a third office and wish to allow traffic from Tunnel 1's office and Tunnel 2's office as well as traffic from the datacenter to have access to Tunnel 3's office. An ASA 5510 is terminating all three of these tunnels in the datacenter. Is it possible to accomplish this using only the ASA by adding the following traffic selections to tunnels 1 and 2 (to the datacenter) and adding Tunnel 3?
Tunnel 1 (Office 1 to Datacenter): 10.2.0.0/16 (remote office 1) <-> 10.15.0.0/16 (remote office 3)
Tunnel 2 (Office 2 to Datacenter): 10.1.60.0.24 (remote office 2) <-> 10.15.0.0/16 (remote office 3)
Tunnel 3 (Office 3 to Datacenter): 10.15.0.0/16 (remote office 3) <-> 10.1.128.0/19 (datacenter), 10.15.0.0/16 (remote office 3) <-> 10.2.0.0/16 (remote office 2), 10.15.0.0/16 (remote office 3) <-> 10.1.60.0/24 (remote office 1)
In essence allowing both office 1 and 2 to reach office 3 bi-directionally through the datacenter's ASA. It's not currently possible to terminate tunnels between offices 1 and 2 and office 3 directly.
Other useful information:
Thanks!
01-19-2012 04:49 PM
Hi Bsisco,
Can you please post the VPN-interesting traffic from Firewall Datacenter and Office 2, get interesting traffic definations from Office 3 also ?
Also, you will need the following command on Datacenter Firewall to allow Hairpinning Traffic :-
same-security-traffic permit intra-interface
Good Link to Read to understand concepts:-
Manish
01-19-2012 05:21 PM
Hello Bsisco,
So you are going to build 3 different tunnels on the remote site number 3, then you would like those 3 other branchs to be able to talk to each other via the remote site number 3 right?
Yes, that is possible. You will need to :
1-add into the VPN crypto traffic on the remote site number 3 the communication between all the other sites with each other and the backwards traffic
Example:
Site-to-site Remote office 1 Remote office3
On remote office 1
access-list vpn permit ip remote_office1 remoteoffice3
access-list vpn permit ip remote_office1 remoteoffice2
access-list vpn permit ip remote_office1 datacenter
On Remote office 3 (VPN HQ) --Tunnel group with remote office 1 crypto ACLs:
access-list vpn1 permit ip remote_office3 remote_office1
access-list vpn1 permit ip remote_office2 remote_office1
access-list vpn1 permit ip datacenter remote_office1
2-same-security-traffic permit inter-interface
Hope this helps.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide