cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
76146
Views
25
Helpful
13
Replies
Highlighted
Beginner

Routing Traffic between Two Site to Site VPN Tunnels

Hi Folks,

           I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.

Please find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.

Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.

How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C

Thanks a lot.  

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi,

Basically you would need to do NAT0 and VPN rules on each site to allow this traffic.

I think the configurations should look something like below. Naturally you will already probably have an existing NAT0 configuration and certainly the L2L VPN configuration

Site A

access-list NAT0 remark NAT0 rule for SiteA to SiteC traffic

access-list NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list NAT0

access-list L2L-VPN-CRYPTO-SITEB remark Interesting traffic for SiteA to SiteC

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where

  • NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteA to SiteC traffic from NAT
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEB = Is the ACL in the L2L-VPN configurations that defines that the traffic from SiteA LAN to SiteC LAN should use the existing L2L-VPN towards SiteB

Site B

access-list OUTSIDE-NAT0 remark NAT0 rule for SiteA to SiteC traffic

access-list OUTSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

access-list L2L-VPN-CRYPTO-SITEA remark Traffic for SiteA to SiteC through existing Tunnel between A-B

access-list L2L-VPN-CRYPTO-SITEA permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list L2L-VPN-CRYPTO-SITEC remark Traffic for SiteA to SiteC through existing Tunnel between B-C

access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where

  • OUTSIDE-NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteA to SiteC traffic from NAT. This is this time attached to the "outside" interface as the traffic will be entering and leaving through that interface at SiteB
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEA (and SITEC)  = Are the ACLs in the L2L-VPN configurations that defines that the  traffic from SiteA LAN to SiteC LAN should use the existing L2L-VPN  connections.

Site C

access-list NAT0 remark NAT0 rule for SiteC to SiteA traffic

access-list NAT0 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NAT0

access-list L2L-VPN-CRYPTO-SITEB remark Interesting traffic for SiteC to SiteA

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Where

  • NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteC to SiteA traffic from NAT
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEB  = Is the ACL in the L2L-VPN configurations that defines that the  traffic from SiteC LAN to SiteA LAN should use the existing L2L-VPN  towards SiteB

To my understanding the above should handle the NAT0 and traffic selection for the L2L VPN connections. Naturally the ACL/Interface names can be different depending on your current setup.

Hopefully this helps

- Jouni

View solution in original post

13 REPLIES 13
Highlighted
Mentor

Hi,

Your attachment (for me atleast) keep showing up as being scanned for virus. I've seen this happen alot in the last couple of weeks. Seems also that the notification emails are not coming regularly.

But on to the actual subject

For the 2 spoke networks connect to the hub with L2L VPN to communicate you will have to

  • Configure the "same-security-traffic permit intra-interface" as you have done
  • Configure the remote networks A and C to the "crypto map x match address " ACLs so that traffic gets forwarded from the other L2L VPN to the other L2L VPN
  • Configure the appropriate NAT rules for the traffi wether its NAT0 or some other type of NAT.

As I said, I cant see the picture so I am not sure if there is something else to consider.

- Jouni

Highlighted

What Problem in abouve topology you are facing

Jawad
Highlighted

Hi JouniForss,

                   Thanks a lot for your detailed reply. Still have some doubts.

This is the Diagram. Now if my understanding is correct, then are you suggesting that i should add Subnets behind Firewall B and Firewall C in the interesting traffic ACL of Firewall A and should do the same for Interesting traffic for Firewall B And Firewall C also.

Any other commands that need to be added apart from this. I am not going to perform NAT.

Highlighted

Hi,

Basically you would need to do NAT0 and VPN rules on each site to allow this traffic.

I think the configurations should look something like below. Naturally you will already probably have an existing NAT0 configuration and certainly the L2L VPN configuration

Site A

access-list NAT0 remark NAT0 rule for SiteA to SiteC traffic

access-list NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list NAT0

access-list L2L-VPN-CRYPTO-SITEB remark Interesting traffic for SiteA to SiteC

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where

  • NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteA to SiteC traffic from NAT
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEB = Is the ACL in the L2L-VPN configurations that defines that the traffic from SiteA LAN to SiteC LAN should use the existing L2L-VPN towards SiteB

Site B

access-list OUTSIDE-NAT0 remark NAT0 rule for SiteA to SiteC traffic

access-list OUTSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

access-list L2L-VPN-CRYPTO-SITEA remark Traffic for SiteA to SiteC through existing Tunnel between A-B

access-list L2L-VPN-CRYPTO-SITEA permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list L2L-VPN-CRYPTO-SITEC remark Traffic for SiteA to SiteC through existing Tunnel between B-C

access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where

  • OUTSIDE-NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteA to SiteC traffic from NAT. This is this time attached to the "outside" interface as the traffic will be entering and leaving through that interface at SiteB
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEA (and SITEC)  = Are the ACLs in the L2L-VPN configurations that defines that the  traffic from SiteA LAN to SiteC LAN should use the existing L2L-VPN  connections.

Site C

access-list NAT0 remark NAT0 rule for SiteC to SiteA traffic

access-list NAT0 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NAT0

access-list L2L-VPN-CRYPTO-SITEB remark Interesting traffic for SiteC to SiteA

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Where

  • NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteC to SiteA traffic from NAT
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEB  = Is the ACL in the L2L-VPN configurations that defines that the  traffic from SiteC LAN to SiteA LAN should use the existing L2L-VPN  towards SiteB

To my understanding the above should handle the NAT0 and traffic selection for the L2L VPN connections. Naturally the ACL/Interface names can be different depending on your current setup.

Hopefully this helps

- Jouni

View solution in original post

Highlighted

Jouni,

Does Site B need another no-nat statement?

access-list OUTSIDE-NAT0 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Highlighted

We are trying to do the same thing.  Our problem right now as we test is that one of the ASAs is 8.3 firmware, which is a little different.  I did the configuration making allowances for the 8.3, but I cannot ping from Network A to a server in Network C.  I am not sure if I missed something, but am still looking.  Thought maybe something else had come to light and wanted to know if it worked for anyone else.

Thanks

Elvin Bashor

Highlighted

I tried adjusting the above configuration for an ASA running 9.1 and I couldn't get it working either.
Could someone be kind enough to post what the above config would look like under > 8.3 and the new NAT syntax?

Thanks

Greg

Highlighted

I was able to solve my own issue by rerunning the commands. For some reason they weren't taking. Here's a sample of the commands for SiteA:

nat (inside,outside) source static SiteA_Traffic SiteA_Traffic destination static SiteC_Traffic SiteC_Traffic no-proxy-arp route-lookup


access-list outside_cryptomap_4 extended permit ip object-group SiteA_Traffic object-group SiteC_Traffic

crypto map outside_map2 2 match address outside_cryptomap_4
crypto map outside_map2 2 set peer x.x.x.x
crypto map outside_map2 2 set ikev2 ipsec-proposal AES

 

I hope that helps someone.

Highlighted

Can you post the whole configs for all sites

I am trying to do this and cannot get it to work 

 

Highlighted

I understand this is a very old post, but do you know if this worked for you?  I am challenged with the exact same setup.

Thanks,

Juan Bravo

Highlighted

Hi Jouni,

Very  nice explanation provided to user. Keep the good work going. I am  converting this discussion to a document. Link for the same is mentioned below:

https://supportforums.cisco.com/docs/DOC-40454

Regards,

Anim Saxena

Community Manager

Highlighted
Beginner

Thanks Jouni,

                 Actually i have been inactive on SupportForums for quite some time now. Yes the configs were spot on and boy did they work!!!

Highlighted

But as i realized a better option would be to go for a GRE over IPSEC Tunnel as that would give me additional options like QoS, VoIP and Multicast Traffic to be encapsulated within an IPSEC.

Of course its not related to my original post.