Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
6
Replies

VPN connectivity between three devices

Go to solution
gtsesmelis
Level 1
Level 1

‎12-03-2015 08:10 AM

Hi all,

 

In this scenario we have 3 cisco  devices: 1st Cisco Router connected to another 2nd Cisco Router with IPSEC site to site VPN and the 2nd Cisco Router is connected with IPSEC site to site to 3rd ASA firewall.

 

    1st Router has lan network 192.168.1.0/24 that connects with 2nd Router lan through site to site VPN

    2nd Router has lan 192.168.2.0/24 that connects with 1st Router & 3rd ASA lan through site to site VPN (middle device)

    3rd ASA FW has lan 192.168.3.0/24 that connects with 2nd Router lan through site to site VPN

 

My question is: Is it possible for 1st routers network can communicate with 3rd ASA network by only changing config on 1st Router and 2nd and how?

 

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-03-2015 09:31 AM

Yes it's possible, but the solution would not be very "elegant". If you could change the config of ASA-3 there are two ways to handle it:

  1. Build a tunnel between Rtr-1 and ASA-3
  2. Extend the existing tunnels to also transport traffic from LAN1 to LAN3

Without that possibility, You still can achieve communication from LAN1 to LAN3. For that you have to:

  1. extend the R1-R2 tunnel to also protect traffic from LAN1 to LAN3
  2. configure RTR-2 to translate the addresses of LAN1 to an address used in LAN2.
  3. now this traffic can be sent through the tunnel between R2-ASA3

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Chris Izatt
Level 1
Level 1

‎12-03-2015 08:21 AM

Sounds like you need tunnels between all end points. 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-03-2015 09:31 AM

Yes it's possible, but the solution would not be very "elegant". If you could change the config of ASA-3 there are two ways to handle it:

  1. Build a tunnel between Rtr-1 and ASA-3
  2. Extend the existing tunnels to also transport traffic from LAN1 to LAN3

Without that possibility, You still can achieve communication from LAN1 to LAN3. For that you have to:

  1. extend the R1-R2 tunnel to also protect traffic from LAN1 to LAN3
  2. configure RTR-2 to translate the addresses of LAN1 to an address used in LAN2.
  3. now this traffic can be sent through the tunnel between R2-ASA3

0 Helpful

Go to solution
gtsesmelis
Level 1
Level 1
In response to Karsten Iwen

‎12-03-2015 02:25 PM

Find my comments below:

Build a tunnel between Rtr-1 and ASA-3 --> (This is not acceptable because i don't want to build a vpn between those two.

Extend the existing tunnels to also transport traffic from LAN1 to LAN3 --> (I don't want Lan 3 to know anything about LAN1). I want something like to trick LAN3 and send traffic from LAN1 like it send from LAN2. You mention something like this...

You said:

Without that possibility, You still can achieve communication from LAN1 to LAN3. For that you have to --> (Can you give a guide on how can i achive this?Any link maybe or an example config.)

  1. extend the R1-R2 tunnel to also protect traffic from LAN1 to LAN3
  2. configure RTR-2 to translate the addresses of LAN1 to an address used in LAN2. --> (I tried it by using the ip nat outside command on Router 2 and translate an ip of LAN 1 to LAN 2(from LAN 2 I was able to ping the new IP on LAN 2 but it doesn't allow communication with LAN2 network like th and didn't pass anything to LAN3 as the other LAN2 IPs)
  3. now this traffic can be sent through the tunnel between R2-ASA3
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to gtsesmelis

‎12-03-2015 02:37 PM

For the NAT to work you must either:

  1. Build the VPN between R1 and R2 with VTIs instead of crypto maps.
  2. use the NAT NVI instead of traditional NAT.

The problem with traditional NAT is that the packets have to come from an "ip nat inside" interface and have to be routed to an "ip nat outside" interface. But if both VPNs are terminated on one interface, thes can be either inside or outside.

With VTIs, the tunnel-interface would be inside, and the physical interface would be outside.

With NVI, there is no inside or outside at all.

0 Helpful

Go to solution
gtsesmelis
Level 1
Level 1
In response to Karsten Iwen

‎12-03-2015 02:48 PM

Ok, I'll do a little search on how to implement the NAT with NVIs. I will update you if i have results.

0 Helpful

Go to solution
gtsesmelis
Level 1
Level 1
In response to gtsesmelis

‎12-15-2015 12:57 AM

I tried to put the ip nat enable command on both wan and lan interface. I used ip nat outside again for doing nat a lan ip that comes from router 1 and nated to a lan ip of router 2 but it didn't give access to asa 3.

I should mention that i didn't remove ip nat outside for wan and ip nat inside  cause its a operational network. I don't know if this was causing the problem that it didn't work.

Could you please give me some guidance(sample config) on how to implement this scenario?

0 Helpful
Customers Also Viewed These Support Documents