Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
3
Replies

ASA1 -> VPN -> ASA2 -> Local LAN -> ASA3 -> VPN-B -> ASA4

j.williams
Level 1
Level 1

‎10-06-2012 01:24 PM

ASA1 -> VPN -> ASA2 -> Local LAN -> ASA3 -> VPN-B -> ASA4.

That's about the easiest way I could think of to explain it. I have two ASAs (ASA2 and ASA3) in my data-center. Obviously ASA1 and ASA4 are remote sites. ASA3 is new, and I want to use it to create a tunnel (VPN-B) to ASA4, and I want traffic from ASA1 to be able to get there.

The current working layout *without* ASA3 is: ASA1 -> VPN -> ASA2 -> VPN-B -> ASA4, where both remote site tunnels terminate in the same ASA (ASA2) in my datacenter. This is no longer desired.

I can kill the old VPN-B tunnel from ASA2 no problem, and terminiate it instead to ASA3. likewise, I have no problem passing traffic along the Local LAN between the two ASAs (inside interface). My assumption was that doing this, and then adding a route to ASA2 pointing traffic destined for ASA4 to go via ASA3 (route inside 10.64.0.0 255.192.0.0 10.1.8.250) would be sufficient, but no go.

My guess is something is funky with NAT rules, but they shoudln't change, because everything stays inside. ACLs for the tunnels both include the appropriate permit statements for the appropriate subnets.

Thoughts? Suggestions?

Thanks.

Labels:
0 Helpful
3 Replies 3

nkarthikeyan
Level 7
Level 7

‎10-06-2012 09:57 PM

Hi Jayme,

What is the VPN you are using here.... Site to Site or RA VPN???? did you do the nat exempt and ACL permiting Remote Site1 traffic in ASA 2 and ASA3 to reach ASA 4 for Remote Site B.

Please do rate if the given information helps.

By

Karthik

0 Helpful

j.williams
Level 1
Level 1
In response to nkarthikeyan

‎10-07-2012 06:21 AM

Using Site to Site (type ipsec-l2l).

ASA2 and ASA3 both have NAT exemptions for the traffic.

ACLs are also set for the traffic on both crypto maps and interface.

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to j.williams

‎10-08-2012 06:44 AM

Hi Jayme,

when you send traffic (e.g. a continuous ping) from remote lan 1 to remote lan 4, check the encrypt and decrypt counters in "show crypto ipsec sa" on all 4 ASA's. This should give you an idea of where things go wrong (e.g. if ASA2 shows decrypt counter increasing but ASA3 shows encrypt not increasing, then traffic is not reaching ASA3 or being dropped by ASA3).

BTW you mentioned adding a route on ASA2 pointing to ASA3 (for destinations behind ASA4). Did you do the reverse as well, i.e. does ASA3 have a route to destinations behind ASA1, via ASA2 ?

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents