Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
84537
Views
25
Helpful
13
Replies

Routing Traffic between Two Site to Site VPN Tunnels

Go to solution
wittyenggs
Level 1
Level 1

‎02-25-2013 02:52 AM

Hi Folks,

           I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.

Please find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.

Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.

How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C

Thanks a lot.  

3 people had this problem
Labels:
Preview file
1 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to wittyenggs

‎02-25-2013 11:21 PM

Hi,

Basically you would need to do NAT0 and VPN rules on each site to allow this traffic.

I think the configurations should look something like below. Naturally you will already probably have an existing NAT0 configuration and certainly the L2L VPN configuration

Site A

access-list NAT0 remark NAT0 rule for SiteA to SiteC traffic

access-list NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list NAT0

access-list L2L-VPN-CRYPTO-SITEB remark Interesting traffic for SiteA to SiteC

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where

  • NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteA to SiteC traffic from NAT
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEB = Is the ACL in the L2L-VPN configurations that defines that the traffic from SiteA LAN to SiteC LAN should use the existing L2L-VPN towards SiteB

Site B

access-list OUTSIDE-NAT0 remark NAT0 rule for SiteA to SiteC traffic

access-list OUTSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

access-list L2L-VPN-CRYPTO-SITEA remark Traffic for SiteA to SiteC through existing Tunnel between A-B

access-list L2L-VPN-CRYPTO-SITEA permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list L2L-VPN-CRYPTO-SITEC remark Traffic for SiteA to SiteC through existing Tunnel between B-C

access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where

  • OUTSIDE-NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteA to SiteC traffic from NAT. This is this time attached to the "outside" interface as the traffic will be entering and leaving through that interface at SiteB
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEA (and SITEC)  = Are the ACLs in the L2L-VPN configurations that defines that the  traffic from SiteA LAN to SiteC LAN should use the existing L2L-VPN  connections.

Site C

access-list NAT0 remark NAT0 rule for SiteC to SiteA traffic

access-list NAT0 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NAT0

access-list L2L-VPN-CRYPTO-SITEB remark Interesting traffic for SiteC to SiteA

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Where

  • NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteC to SiteA traffic from NAT
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEB  = Is the ACL in the L2L-VPN configurations that defines that the  traffic from SiteC LAN to SiteA LAN should use the existing L2L-VPN  towards SiteB

To my understanding the above should handle the NAT0 and traffic selection for the L2L VPN connections. Naturally the ACL/Interface names can be different depending on your current setup.

Hopefully this helps

- Jouni

View solution in original post

13 Replies 13

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-25-2013 03:19 AM

Hi,

Your attachment (for me atleast) keep showing up as being scanned for virus. I've seen this happen alot in the last couple of weeks. Seems also that the notification emails are not coming regularly.

But on to the actual subject

For the 2 spoke networks connect to the hub with L2L VPN to communicate you will have to

  • Configure the "same-security-traffic permit intra-interface" as you have done
  • Configure the remote networks A and C to the "crypto map x match address " ACLs so that traffic gets forwarded from the other L2L VPN to the other L2L VPN
  • Configure the appropriate NAT rules for the traffi wether its NAT0 or some other type of NAT.

As I said, I cant see the picture so I am not sure if there is something else to consider.

- Jouni

0 Helpful

Go to solution
jawad-mukhtar
Level 4
Level 4
In response to Jouni Forss

‎02-25-2013 06:24 AM

What Problem in abouve topology you are facing

Jawad
0 Helpful

Go to solution
wittyenggs
Level 1
Level 1
In response to Jouni Forss

‎02-25-2013 10:50 PM

Hi JouniForss,

                   Thanks a lot for your detailed reply. Still have some doubts.

This is the Diagram. Now if my understanding is correct, then are you suggesting that i should add Subnets behind Firewall B and Firewall C in the interesting traffic ACL of Firewall A and should do the same for Interesting traffic for Firewall B And Firewall C also.

Any other commands that need to be added apart from this. I am not going to perform NAT.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to wittyenggs

‎02-25-2013 11:21 PM

Hi,

Basically you would need to do NAT0 and VPN rules on each site to allow this traffic.

I think the configurations should look something like below. Naturally you will already probably have an existing NAT0 configuration and certainly the L2L VPN configuration

Site A

access-list NAT0 remark NAT0 rule for SiteA to SiteC traffic

access-list NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list NAT0

access-list L2L-VPN-CRYPTO-SITEB remark Interesting traffic for SiteA to SiteC

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where

  • NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteA to SiteC traffic from NAT
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEB = Is the ACL in the L2L-VPN configurations that defines that the traffic from SiteA LAN to SiteC LAN should use the existing L2L-VPN towards SiteB

Site B

access-list OUTSIDE-NAT0 remark NAT0 rule for SiteA to SiteC traffic

access-list OUTSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

access-list L2L-VPN-CRYPTO-SITEA remark Traffic for SiteA to SiteC through existing Tunnel between A-B

access-list L2L-VPN-CRYPTO-SITEA permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list L2L-VPN-CRYPTO-SITEC remark Traffic for SiteA to SiteC through existing Tunnel between B-C

access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where

  • OUTSIDE-NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteA to SiteC traffic from NAT. This is this time attached to the "outside" interface as the traffic will be entering and leaving through that interface at SiteB
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEA (and SITEC)  = Are the ACLs in the L2L-VPN configurations that defines that the  traffic from SiteA LAN to SiteC LAN should use the existing L2L-VPN  connections.

Site C

access-list NAT0 remark NAT0 rule for SiteC to SiteA traffic

access-list NAT0 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NAT0

access-list L2L-VPN-CRYPTO-SITEB remark Interesting traffic for SiteC to SiteA

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Where

  • NAT0 = Is the ACL that is to be used in the NAT0 rules that will exempt SiteC to SiteA traffic from NAT
  • nat = Is the actual NAT0 configuration line
  • L2L-VPN-CRYPTO-SITEB  = Is the ACL in the L2L-VPN configurations that defines that the  traffic from SiteC LAN to SiteA LAN should use the existing L2L-VPN  towards SiteB

To my understanding the above should handle the NAT0 and traffic selection for the L2L VPN connections. Naturally the ACL/Interface names can be different depending on your current setup.

Hopefully this helps

- Jouni

Go to solution
Timothy Chan
Level 1
Level 1
In response to Jouni Forss

‎06-18-2013 10:04 AM

Jouni,

Does Site B need another no-nat statement?

access-list OUTSIDE-NAT0 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

0 Helpful

Go to solution
e.bashor
Level 1
Level 1
In response to Jouni Forss

‎08-28-2013 11:56 AM

We are trying to do the same thing.  Our problem right now as we test is that one of the ASAs is 8.3 firmware, which is a little different.  I did the configuration making allowances for the 8.3, but I cannot ping from Network A to a server in Network C.  I am not sure if I missed something, but am still looking.  Thought maybe something else had come to light and wanted to know if it worked for anyone else.

Thanks

Elvin Bashor

0 Helpful

Go to solution
gregbeifuss
Level 1
Level 1
In response to e.bashor

‎10-07-2014 09:56 AM

I tried adjusting the above configuration for an ASA running 9.1 and I couldn't get it working either.
Could someone be kind enough to post what the above config would look like under > 8.3 and the new NAT syntax?

Thanks

Greg

0 Helpful

Go to solution
gregbeifuss
Level 1
Level 1
In response to gregbeifuss

‎10-10-2014 09:57 AM

I was able to solve my own issue by rerunning the commands. For some reason they weren't taking. Here's a sample of the commands for SiteA:

nat (inside,outside) source static SiteA_Traffic SiteA_Traffic destination static SiteC_Traffic SiteC_Traffic no-proxy-arp route-lookup


access-list outside_cryptomap_4 extended permit ip object-group SiteA_Traffic object-group SiteC_Traffic

crypto map outside_map2 2 match address outside_cryptomap_4
crypto map outside_map2 2 set peer x.x.x.x
crypto map outside_map2 2 set ikev2 ipsec-proposal AES

 

I hope that helps someone.

0 Helpful

Go to solution
yusbel.rojas
Level 1
Level 1
In response to gregbeifuss

‎05-01-2019 10:32 AM

Can you post the whole configs for all sites

I am trying to do this and cannot get it to work 

 

0 Helpful

Go to solution
jbravo2203
Level 1
Level 1
In response to Jouni Forss

‎01-14-2014 11:12 AM

I understand this is a very old post, but do you know if this worked for you?  I am challenged with the exact same setup.

Thanks,

Juan Bravo

0 Helpful

Go to solution
Anim Saxena
Level 1
Level 1
In response to Jouni Forss

‎02-24-2014 09:45 PM

Hi Jouni,

Very  nice explanation provided to user. Keep the good work going. I am  converting this discussion to a document. Link for the same is mentioned below:

https://supportforums.cisco.com/docs/DOC-40454

Regards,

Anim Saxena

Community Manager

0 Helpful

Go to solution
wittyenggs
Level 1
Level 1

‎01-14-2014 08:28 PM

Thanks Jouni,

                 Actually i have been inactive on SupportForums for quite some time now. Yes the configs were spot on and boy did they work!!!

0 Helpful

Go to solution
wittyenggs
Level 1
Level 1
In response to wittyenggs

‎01-14-2014 08:31 PM

But as i realized a better option would be to go for a GRE over IPSEC Tunnel as that would give me additional options like QoS, VoIP and Multicast Traffic to be encapsulated within an IPSEC.

Of course its not related to my original post.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents