ā12-03-2015 08:10 AM
Hi all,
In this scenario we have 3 cisco devices: 1st Cisco Router connected to another 2nd Cisco Router with IPSEC site to site VPN and the 2nd Cisco Router is connected with IPSEC site to site to 3rd ASA firewall.
1st Router has lan network 192.168.1.0/24 that connects with 2nd Router lan through site to site VPN
2nd Router has lan 192.168.2.0/24 that connects with 1st Router & 3rd ASA lan through site to site VPN (middle device)
3rd ASA FW has lan 192.168.3.0/24 that connects with 2nd Router lan through site to site VPN
My question is: Is it possible for 1st routers network can communicate with 3rd ASA network by only changing config on 1st Router and 2nd and how?
Thanks in advance.
Solved! Go to Solution.
ā12-03-2015 09:31 AM
Yes it's possible, but the solution would not be very "elegant". If you could change the config of ASA-3 there are two ways to handle it:
Without that possibility, You still can achieve communication from LAN1 to LAN3. For that you have to:
ā12-03-2015 08:21 AM
Sounds like you need tunnels between all end points.
ā12-03-2015 09:31 AM
Yes it's possible, but the solution would not be very "elegant". If you could change the config of ASA-3 there are two ways to handle it:
Without that possibility, You still can achieve communication from LAN1 to LAN3. For that you have to:
ā12-03-2015 02:25 PM
Find my comments below:
Build a tunnel between Rtr-1 and ASA-3 --> (This is not acceptable because i don't want to build a vpn between those two.
Extend the existing tunnels to also transport traffic from LAN1 to LAN3 --> (I don't want Lan 3 to know anything about LAN1). I want something like to trick LAN3 and send traffic from LAN1 like it send from LAN2. You mention something like this...
You said:
Without that possibility, You still can achieve communication from LAN1 to LAN3. For that you have to --> (Can you give a guide on how can i achive this?Any link maybe or an example config.)
ā12-03-2015 02:37 PM
For the NAT to work you must either:
The problem with traditional NAT is that the packets have to come from an "ip nat inside" interface and have to be routed to an "ip nat outside" interface. But if both VPNs are terminated on one interface, thes can be either inside or outside.
With VTIs, the tunnel-interface would be inside, and the physical interface would be outside.
With NVI, there is no inside or outside at all.
ā12-03-2015 02:48 PM
Ok, I'll do a little search on how to implement the NAT with NVIs. I will update you if i have results.
ā12-15-2015 12:57 AM
I tried to put the ip nat enable command on both wan and lan interface. I used ip nat outside again for doing nat a lan ip that comes from router 1 and nated to a lan ip of router 2 but it didn't give access to asa 3.
I should mention that i didn't remove ip nat outside for wan and ip nat inside cause its a operational network. I don't know if this was causing the problem that it didn't work.
Could you please give me some guidance(sample config) on how to implement this scenario?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide