01-18-2012 11:23 PM - edited 02-21-2020 05:49 PM
okay, I need help, I am sure my config is correct but I am getting no joy
I have four sites, siteA, siteB, siteC and SiteD. Now siteC and SiteD both connect to siteB via an IPSec VPN. There is no requirement for connectivity between siteC and siteD. Connectivity between siteC to siteB and siteD to siteB is fine. siteB is also conected to siteA via an IPSec VPN and connectivity between siteB and siteA is fine.
Now, the business now want siteC and siteD to connect to siteA and the design calls for this to happen though siteB
so
siteC <---|
|
|---> siteB <---> siteA
|
siteD <---|
I hope that diagram comes out okay, now IP addresses and config
siteC 192.168.32.0 /24 (Cisco 1841)
siteD 192.168.33.0 /24 (Cisco 1841)
siteB 192.168.8.0 /24 (Cisco ASA 5510)
siteA 10.0.0.0 /24 (Cisco ASA 5540)
siteC
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key <something> address <siteB Peer IP> no-xauth
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map cryptomap 10 ipsec-isakmp
description Tunnel to HQ
set peer <siteB Peer IP>
set transform-set ESP-AES256-SHA
match address acl-vpn-to-hq
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
deny ip 192.168.32.0 0.0.0.255 192.168.8.0 0.0.0.255
deny ip 192.168.32.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.32.0 0.0.0.255 any
ip access-list extended acl-vpn-to-hq
permit ip 192.168.32.0 0.0.0.255 192.168.8.0 0.0.0.255
permit ip 192.168.32.0 0.0.0.255 10.0.0.0 0.0.0.255
siteD
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key <something> address <siteB Peer IP> no-xauth
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map cryptomap 10 ipsec-isakmp
description Tunnel to HQ
set peer <siteB Peer IP>
set transform-set ESP-AES256-SHA
match address acl-vpn-to-hq
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
deny ip 192.168.33.0 0.0.0.255 192.168.8.0 0.0.0.255
deny ip 192.168.33.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.33.0 0.0.0.255 any
ip access-list extended acl-vpn-to-hq
permit ip 192.168.33.0 0.0.0.255 192.168.8.0 0.0.0.255
permit ip 192.168.33.0 0.0.0.255 10.0.0.0 0.0.0.255
siteB
crypto isakmp policy 100
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
!
crypto map outside_map 100 match address outside_cryptomap_2
crypto map outside_map 100 set peer <siteA Peer IP>
crypto map outside_map 100 set transform-set ESP-AES-256-SHA
!
access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.225.255.0
!
crypto map outside_map 120 match address outside_cryptomap_1
crypto map outside_map 120 set peer <siteC Peer IP>
crypto map outside_map 120 set transform-set ESP-AES-256-SHA
!
access-list outside_cryptomap_1 extended permit ip 192.168.8.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 192.168.32.0 255.255.255.0
!
crypto map outside_map 140 match address outside_cryptomap
crypto map outside_map 140 set peer <siteD Peer IP>
crypto map outside_map 140 set transform-set ESP-AES-256-SHA
!
access-list outside_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.33.0 255.255.255.0
!
crypto map outside_map interface outside
!
nat (inside) 0 access-list inside_nat0_outbound
!
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.33.0 255.255.255.0 10.0.0.0 255.255.255.0
!
siteA
crypto isakmp policy 100
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
!
crypto map outside_map 140 match address outside_cryptomap
crypto map outside_map 140 set peer <siteB Peer IP>
crypto map outside_map 140 set transform-set ESP-AES-256-SHA
!
access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0
!
crypto map outside_map interface outside
!
nat (inside) 0 access-list inside_nat0_outbound
!
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.0.0
!
I may have missed some config but it looks complete, any pointers or ideas?
01-19-2012 02:07 AM
Your config is incomplete - if Site A is 10.0.0.0/24 and Site C & D which to access it and vice versa three things need to happen
1) C & D need the no-nat and interesting ACL's to include the 10/24
2) B needs to have the source 10.0.0.0/24 to Site C and Site D in the no-nat list.
3) B needs to have the source 10.0.0/24 in the interesting ACL's for C & D (which you already have)
01-19-2012 02:57 AM
thank you foro your reply, its appreciated
1. I think this is covered with
ip access-list extended NAT
deny ip 192.168.32.0 0.0.0.255 192.168.8.0 0.0.0.255
deny ip 192.168.32.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.32.0 0.0.0.255 any
ip access-list extended acl-vpn-to-hq
permit ip 192.168.32.0 0.0.0.255 192.168.8.0 0.0.0.255
permit ip 192.168.32.0 0.0.0.255 10.0.0.0 0.0.0.255
2. thats not there, I will add tomorrow morning and test, thanks
3, as you said, I already have that
thank you again
01-19-2012 03:13 AM
Yeah sorry about that - correct that number 1 is in place (going slowly blind!)
Good good - let us know how you get on tomorrow?!
01-22-2012 11:04 PM
okay, I have added the following lines to address point 2
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.33.0 255.255.255.0
and it still doesn't work. The offices in question are closed till Wednesday for Chinese New Year so I will run some more tests tomorrow and post back, but so far no luck.
thanks again Andrew
01-22-2012 11:50 PM
Check your routing - does site A have routes to Site C and Site D thru site B?
01-23-2012 03:00 PM
the routing was fine, I found the issue
same-security-traffic permit intra-interface
Once I entered this traffic started flowing.
Problem solved but thanks for helping Andrew.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide