comms between 2 VPN tunnels via an ASA 7.x

MrFlibbleuk · ‎07-04-2007

Hi Everyone,

We have a setup on an ASA with two ipsec tunnels. One to Site A (10.0.1.x) and one to Site B (10.0.2.x), incidentally Head office where the ASA is located is 10.0.0.x, we now need to set it up so that Site A can communicate with Site B.

I have carried out some investigation and I know that I need to use the same-security-traffic permit intra-interface command to allow traffic to come in and out of the same interface but I still cant get things to work.

I configured both sites of the tunnel for Site A and Site B to allow traffic from 10.0.1.x to 10.0.x.x, 10.0.2.x to 10.0.x.x.

Actually here is the config, does anyone have any ideas?? Would really appreciate it as I am running around in circles....

same-security-traffic permit intra-interface

access-list acl-outside extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list acl-outside extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list acl-outside remark --- Permit Inbound access from Site A ---

access-list acl-outside extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list acl-outside remark --- Permit Inbound access from Site B ---

access-list acl-outside extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list acl-inside remark --- Permit Outbound Access to Site A ---

access-list acl-inside extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list acl-inside remark --- Permit Outbound Access to Site B ---

access-list acl-inside extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0

access-list vpn-siteA remark --- Encrypt traffic to Site A ---

access-list vpn-siteA extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list vpn-siteB remark --- Encrypt traffic to Site B ---

access-list vpn-siteB extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0

access-list inside_nat0_outbound remark --- NONAT for Site A ---

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list inside_nat0_outbound remark --- NONAT for Site B ---

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.2.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0

access-group acl-outside in interface outside

access-group acl-inside in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto map outside_map 20 match address vpn-siteA

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 25 match address vpn-siteB

crypto map outside_map 25 set peer x.x.x.x

crypto map outside_map 25 set transform-set ESP-3DES-SHA

crypto map outside_map 25 set security-association lifetime seconds 28800

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

acomiskey · ‎07-04-2007

It looks like you may need to add the interesting traffic for the communication between the remote lans.

access-list vpn-siteA extended permit ip 10.0.2.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list vpn-siteB extended permit ip 10.0.1.0 255.255.0.0 10.0.2.0 255.255.255.0

acomiskey · ‎07-05-2007

You will also need to add the interesting traffic to the acl's at the remote sites as well.

SiteA needs...

access-list extended permit ip 10.0.1.0 255.255.0.0 10.0.2.0 255.255.255.0

SiteB needs...

access-list extended permit ip 10.0.2.0 255.255.0.0 10.0.1.0 255.255.255.0

MrFlibbleuk · ‎07-06-2007

Yeah worked a treat mate.

Cheers