comms between 2 VPN tunnels via an ASA 7.x

Unanswered Question
Jul 4th, 2007
User Badges:

Hi Everyone,


We have a setup on an ASA with two ipsec tunnels. One to Site A (10.0.1.x) and one to Site B (10.0.2.x), incidentally Head office where the ASA is located is 10.0.0.x, we now need to set it up so that Site A can communicate with Site B.


I have carried out some investigation and I know that I need to use the same-security-traffic permit intra-interface command to allow traffic to come in and out of the same interface but I still cant get things to work.


I configured both sites of the tunnel for Site A and Site B to allow traffic from 10.0.1.x to 10.0.x.x, 10.0.2.x to 10.0.x.x.


Actually here is the config, does anyone have any ideas?? Would really appreciate it as I am running around in circles....



same-security-traffic permit intra-interface

access-list acl-outside extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list acl-outside extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list acl-outside remark --- Permit Inbound access from Site A ---

access-list acl-outside extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list acl-outside remark --- Permit Inbound access from Site B ---

access-list acl-outside extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.0.0


access-list acl-inside remark --- Permit Outbound Access to Site A ---

access-list acl-inside extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list acl-inside remark --- Permit Outbound Access to Site B ---

access-list acl-inside extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0


access-list vpn-siteA remark --- Encrypt traffic to Site A ---

access-list vpn-siteA extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list vpn-siteB remark --- Encrypt traffic to Site B ---

access-list vpn-siteB extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0


access-list inside_nat0_outbound remark --- NONAT for Site A ---


access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list inside_nat0_outbound remark --- NONAT for Site B ---

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0

access-group acl-outside in interface outside

access-group acl-inside in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto map outside_map 20 match address vpn-siteA

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 25 match address vpn-siteB

crypto map outside_map 25 set peer x.x.x.x

crypto map outside_map 25 set transform-set ESP-3DES-SHA

crypto map outside_map 25 set security-association lifetime seconds 28800

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Wed, 07/04/2007 - 17:27
User Badges:
  • Green, 3000 points or more

It looks like you may need to add the interesting traffic for the communication between the remote lans.


access-list vpn-siteA extended permit ip 10.0.2.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list vpn-siteB extended permit ip 10.0.1.0 255.255.0.0 10.0.2.0 255.255.255.0


acomiskey Thu, 07/05/2007 - 05:03
User Badges:
  • Green, 3000 points or more

You will also need to add the interesting traffic to the acl's at the remote sites as well.


SiteA needs...

access-list extended permit ip 10.0.1.0 255.255.0.0 10.0.2.0 255.255.255.0


SiteB needs...

access-list extended permit ip 10.0.2.0 255.255.0.0 10.0.1.0 255.255.255.0


Actions

This Discussion