Two VPNs

westcare · ‎04-22-2011

Scenario:

Two VPNs

VPN A is between two hospitals.

VPN B is between one of the hospitals (hospital 1) and medical Service Providor.

Objectivie is to allow the 2second hospital to access the Medical Service providor through the first hospitals VPN B.

Equipment ASA5520 at both hospitals.

Marcin Latosiewicz · ‎04-22-2011

Hi,

Site X ---(VPN A)--- Site Y ---(VPN B)--- site Z.

You need to

1) Allow u-turn of traffin on same interface on site Y (I assume both VPNs are connected to same interface)

2) You need to make sure you allos traffic from site X to site Z in access-list for VPN A and VPN B

You need to add:

Site X : VPN A --> permit ip X Z

site Y : VPN A ---> permit ip Z X

site Y : VPN B ----> permit ip X Z

site Z : VPN B --> permit ip Z X

makes sense? :-)

Marcin

westcare · ‎04-25-2011

We tried,

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

We see the traffic in each firewall's logs. Looks like the traffic is making it around.

When we connect to the medical services from hospital A, we're succesful. But no luck when we try from hospital B.

VPNs are established on outside interface for both firewalls for hospital A and hospital B. Medical services VPN is to the outside firewall of hospital B.

Medical Services is a 3rd party, we don't have access to config. We source NAT from Hospital A to Medical Services.

Marcin Latosiewicz · ‎04-25-2011

What I would suggest is to open a TAC case.

Someone would need to follow the packet and see what the problem is and what can be done. Solving it on the forums might take a bit too long.

Marcin