Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1505
Views
0
Helpful
6
Replies

site-to-site-to-site IPSec VPN config

pjwhitby_2
Level 1
Level 1

‎01-18-2012 11:23 PM - edited ‎02-21-2020 05:49 PM

okay, I need help, I am sure my config is correct but I am getting no joy

I have four sites, siteA, siteB, siteC and SiteD. Now siteC and SiteD both connect to siteB via an IPSec VPN. There is no requirement for connectivity between siteC and siteD. Connectivity between siteC to siteB and siteD to siteB is fine. siteB is also conected to siteA via an IPSec VPN and connectivity between siteB and siteA is fine.

Now, the business now want siteC and siteD to connect to siteA and the design calls for this to happen though siteB

so

siteC <---|  

             |

             |--->  siteB <---> siteA

             |

siteD <---|

I hope that diagram comes out okay, now IP addresses and config

siteC 192.168.32.0 /24 (Cisco 1841)

siteD 192.168.33.0 /24 (Cisco 1841)

siteB 192.168.8.0 /24 (Cisco ASA 5510)

siteA 10.0.0.0 /24 (Cisco ASA 5540)

siteC

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key <something> address <siteB Peer IP> no-xauth

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

!

crypto map cryptomap 10 ipsec-isakmp

description Tunnel to HQ

set peer <siteB Peer IP>

set transform-set ESP-AES256-SHA

match address acl-vpn-to-hq

!

ip nat inside source list NAT interface FastEthernet0/0 overload

!

ip access-list extended NAT

deny   ip 192.168.32.0 0.0.0.255 192.168.8.0 0.0.0.255

deny   ip 192.168.32.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 192.168.32.0 0.0.0.255 any

ip access-list extended acl-vpn-to-hq

permit ip 192.168.32.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip 192.168.32.0 0.0.0.255 10.0.0.0 0.0.0.255

siteD

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key <something> address <siteB Peer IP> no-xauth

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

!

crypto map cryptomap 10 ipsec-isakmp

description Tunnel to HQ

set peer <siteB Peer IP>

set transform-set ESP-AES256-SHA

match address acl-vpn-to-hq

!

ip nat inside source list NAT interface FastEthernet0/0 overload

!

ip access-list extended NAT

deny   ip 192.168.33.0 0.0.0.255 192.168.8.0 0.0.0.255

deny   ip 192.168.33.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 192.168.33.0 0.0.0.255 any

ip access-list extended acl-vpn-to-hq

permit ip 192.168.33.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip 192.168.33.0 0.0.0.255 10.0.0.0 0.0.0.255

siteB

crypto isakmp policy 100

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

!

crypto map outside_map 100 match address outside_cryptomap_2

crypto map outside_map 100 set peer <siteA Peer IP>

crypto map outside_map 100 set transform-set ESP-AES-256-SHA

!

access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.225.255.0

!

crypto map outside_map 120 match address outside_cryptomap_1

crypto map outside_map 120 set peer <siteC Peer IP>

crypto map outside_map 120 set transform-set ESP-AES-256-SHA

!

access-list outside_cryptomap_1 extended permit ip 192.168.8.0 255.255.255.0 192.168.32.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 192.168.32.0 255.255.255.0

!

crypto map outside_map 140 match address outside_cryptomap

crypto map outside_map 140 set peer <siteD Peer IP>

crypto map outside_map 140 set transform-set ESP-AES-256-SHA

!

access-list outside_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.33.0 255.255.255.0

!

crypto map outside_map interface outside

!

nat (inside) 0 access-list inside_nat0_outbound

!

access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.32.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.33.0 255.255.255.0 10.0.0.0 255.255.255.0

!

siteA

crypto isakmp policy 100

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

!

crypto map outside_map 140 match address outside_cryptomap

crypto map outside_map 140 set peer <siteB Peer IP>

crypto map outside_map 140 set transform-set ESP-AES-256-SHA

!

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0

!

crypto map outside_map interface outside

!

nat (inside) 0 access-list inside_nat0_outbound

!

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.0.0

!

I may have missed some config but it looks complete,  any pointers or ideas?

Labels:
0 Helpful
6 Replies 6

andrew.prince
Level 10
Level 10

‎01-19-2012 02:07 AM

Your config is incomplete - if Site A is 10.0.0.0/24 and Site C & D which to access it and vice versa three things need to happen

1) C & D need the no-nat and interesting ACL's to include the 10/24

2) B needs to have the source 10.0.0.0/24 to Site C and Site D in the no-nat list.

3) B needs to have the source 10.0.0/24 in the interesting ACL's for C & D (which you already have)

0 Helpful

pjwhitby_2
Level 1
Level 1
In response to andrew.prince

‎01-19-2012 02:57 AM

thank you foro your reply, its appreciated

1. I think this is covered with

ip access-list extended NAT

deny   ip 192.168.32.0 0.0.0.255 192.168.8.0 0.0.0.255

deny   ip 192.168.32.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 192.168.32.0 0.0.0.255 any

ip access-list extended acl-vpn-to-hq

permit ip 192.168.32.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip 192.168.32.0 0.0.0.255 10.0.0.0 0.0.0.255

2. thats not there, I will add tomorrow morning and test, thanks

3, as you said, I already have that

thank you again

0 Helpful

andrew.prince
Level 10
Level 10
In response to pjwhitby_2

‎01-19-2012 03:13 AM

Yeah sorry about that - correct that number 1 is in place (going slowly blind!)

Good good - let us know how you get on tomorrow?!

0 Helpful

pjwhitby_2
Level 1
Level 1
In response to andrew.prince

‎01-22-2012 11:04 PM

okay, I have added the following lines to address point 2

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.32.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.33.0 255.255.255.0

and it still doesn't work. The offices in question are closed till Wednesday for Chinese New Year so I will run some more tests tomorrow and post back, but so far no luck.

thanks again Andrew

0 Helpful

andrew.prince
Level 10
Level 10
In response to pjwhitby_2

‎01-22-2012 11:50 PM

Check your routing - does site A have routes to Site C and Site D thru site B?

0 Helpful

pjwhitby_2
Level 1
Level 1
In response to andrew.prince

‎01-23-2012 03:00 PM

the routing was fine, I found the issue

same-security-traffic permit intra-interface

Once I entered this traffic started flowing.

Problem solved but thanks for helping Andrew.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents