cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1442
Views
0
Helpful
11
Replies

site to site between two ASA firewall

sfanayei
Level 1
Level 1

Hi,

I have two ASA and I would configure both ASA til S2S. ASA1 is in HQ and ASA2 is in Brunch office. HQ ASA has multi S2S connection and Brunch ASA has only S2S to HQ. The Senario is that I would send the all the traffic (both to the Internet and to the local network in the HQ ASA) from ASA2 throug the tunnel. The issue is that when the tunnel is up and there is connevtivity from ASA2 (brunch office) to the local network behinde ASA1 (HQ), but client behinde ASA2 has no conectivity when they atempt to go to the the Internet. Tanks a lot in advance for any help!

HQ ASA extern ip 192.x.y.z/24, local network 10.70.0.0/16

Brunch office ASA has extern ip 168.x.y.z/24, local network 10.79.1.0/24

1 Accepted Solution

Accepted Solutions

This should help you out:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0


access-list inside_nat0_outbound extended permit ip 10.79.1.0 255.255.255.0 x.x.x.x 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.79.1.0 255.255.255.0 x.x.x.x 255.255.255.0

x.x.x.x = the subnet of HQ,  in the HQ ASA you need the reverse ACL:

access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0

This way traffic going to the internet will be nated as it goes out and traffic for thet VPN will
not be nated as it goes down the tunnel

View solution in original post

11 Replies 11

Pawel Cecot
Cisco Employee
Cisco Employee

Hi,

you need to configure so called "hairpinning". Check the below document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

The important steps are:

same-security-traffic permit intra-interface

+ proper NAT

pre-8.3

nat (outside) 10 ...

global (outside) 10 ...

post-8.3

nat (outside,outside) ...

Thanks,

Pawel

Tanks for your reply. I have to say that i am a new in this ASA. In my senario is no ipsec client involved. Your diagram is littel different copmpared to my senario. In my senario two ASA os 9.0 with there own local network are involved!

Yes I'm aware the the document is about VPN Client, however the idea is the same.

You need to do a u-turn on th ASA. For that you need sames-security... And after that you need to translate the source of the packets so they will be routable on the Internet.

Configuration guide which explains all you need:

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_params.html#wp1042114

Pawel

Hi again:)

the enabling traffic in sames-security has to be done in ASA2 (in Brunch office) right? and you mean I can still send the internet traffic throug the tunnel to ASA1 (HQ) if I do nat the same source ip from the lokal network in brunch office ASA2?

Hi

I forgot to send my configuration from ASA2 (in brunch office). Maybe it wil help!

Result of the command: "sh run"

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.79.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asdm-711-52

boot system disk0:/asdm-701.bin

boot system disk0:/asa825-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

access-list outside_1_cryptomap extended permit ip 10.79.1.0 255.255.255.0 any

access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip 10.79.1.0 255.255.255.0 any

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-701.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.79.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 130.225.0.84

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd address 10.79.1.50-10.79.1.80 inside

dhcpd dns 10.70.1.245 10.70.1.245 interface inside

dhcpd wins 10.70.1.245 10.70.1.246 interface inside

dhcpd lease 10000 interface inside

dhcpd domain oddermuseum.au.dk interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 130.x.y.z type ipsec-l2l

tunnel-group 130.x.y.z ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7f2b8f8b6111f1ce4ea7dbd6cf1869ce

: end

same-security-traffic permit intra-interface has to be enabled on the HQ (ASA1) as this is where you need to do a u-turn with the Internet traffic.

NAT should also be performed on the HQ, so that the Internet will know where to send the traffic back - HQ.

The crypto ACL should look something like that (assuming that 10.79.1.0/24 is the branch subnet):

HQ - access-list NAME permit ip any 10.79.1.0 255.255.255.0

BRANCH - access-list NAME permit ip 10.79.1.0 255.255.255.0 any

+ PAT (first example: http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_params.html#wp1047799)

Pawel

Tanks Pawel!

I will try to see if it works!

pope30349
Level 1
Level 1

Can you post HQ config I'm sure that's where the problem is.

Sent from Cisco Technical Support iPhone App

Tanks for your reply.

It is very long configuration. I just desided that traffic to remote local network should go trough the tunnel. and now I want to figure out that how i can send the traffic to the Internet trough the brunch ASA's outside Interface it selfs not trough the HQ ASA.

This should help you out:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0


access-list inside_nat0_outbound extended permit ip 10.79.1.0 255.255.255.0 x.x.x.x 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.79.1.0 255.255.255.0 x.x.x.x 255.255.255.0

x.x.x.x = the subnet of HQ,  in the HQ ASA you need the reverse ACL:

access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0

This way traffic going to the internet will be nated as it goes out and traffic for thet VPN will
not be nated as it goes down the tunnel

Hi,

That was it!

Tanks a lot:)