Forwarding between VPN Tunnels in Cisco ASA

Answered Question
Apr 14th, 2009

Hi Experts,

i have a situation where I need to configure forwarding between two VPN Tunnels terminated in the same ASA box. One VPN Tunnel will carry the incoming traffic and this traffic needs to be sent down the other VPN Tunnel in the ASA. Both the VPN Tunnels are coming in from Internet and are talking to the same peer IP in the ASA.

To detail it,

Tunnel A

source: 192.168.1.0/25

Destination: 10.1.1.0/25

Local peer: 170.252.100.20 (ASA in question)

Remote Peer: 144.36.255.254

Tunnel B

Source: 192.168.1.0/25

Destination: 10.1.1.0/25

Local Peer IP: 170.252.100.20 (ASA box in question)

Remote Peer IP: 195.75.75.1

Can this be achieved? what configurations are needed in the ASA apart from the crypto ACL entries?

Thanks in advance for your time.

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 9 months ago

Thought so, in that case your config is right, and you can avoid using routes on your asa since it should route based on it's default gateway, be sure to have the proper nonat rules in place and the same-security-interface permit inter-interface statement that you need.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Tue, 04/14/2009 - 06:34

Are you saying that this tunnel should receive traffic say from tunnel a an forward the reply on tunnel B? If that is the case this is not possible, only one tunnel will be used at a time.

acomiskey Tue, 04/14/2009 - 07:22

This is absolutely possible...but if I were you I would make the remote networks unique.

Ivan Martinon Tue, 04/14/2009 - 07:34

For your specific scenario where both sources for tunnel A and B are the same, you can't unless you use some sort of NAT.

cannan.ilangova... Tue, 04/14/2009 - 07:53

how about this configuration for the scenario in question...

In the Cisco ASA where both the VPNs terminate..

interface G0/0

name Untrust

ip address 170.252.100.20 255.255.255.248

crypto map pointAToCiscoASA_Traffic extended permit ip 10.1.1.0 255.255.255.128 192.168.1.0 255.255.255.128

crypto map CiscoASAtopointB_Traffic extended permit ip 192.168.1.0 255.255.255.128 10.1.1.0 255.255.255.128

crypto map Untrust_map 1 match address pointAToCiscoASA_Traffic

crypto map Untrust_map 1 set peer 144.36.255.254

crypto map Untrust_map 1 set transform set ESP-3DES-MD5

crypto map Untrust_map 2 match address CiscoASAtopointB_Traffic

crypto map Untrust_map 2 set peer 195.75.75.1

crypto map Untrust_map 2 set transform set ESP-3DES-MD5

<-- This is the interesting part...I am routing the packets towards the Tunnels Remote Peer IPs. As the ASA will know to use the VPN Tunnels to reach the Peer IPs, I believe it will send the traffic down the appropriate VPN Tunels -->

route Untrust 10.1.1.0 255.255.255.128 195.75.75.1

route Untrust 192.168.1.0 255.255.255.128 144.36.255.254

tunnel-group 144.36.255.254 type l2l

tunnel-group 144.36.255.254 ipsec-attributes

pre-shared-key *

tunnel-group 195.75.75.1 type l2l

tunnel-group 195.75.75.1 ipsec-attributes

pre-shared-key *

Ivan Martinon Tue, 04/14/2009 - 08:03

I am confused, are you saying that 192.168.1.0/24 and 10.1.1.0/25 are remote to the ASA? meaning the asa does not have any of those locally on any interface? So what you are trying to do is to pass from tunnelA to tunnelB using the ASA as a hub only?

Tell me something, in your scenario, both ip remote sites (A and B) have the same ip address? for example both have 192.168.1.0 or 10.1.1.0? or both have different ip addresses?

cannan.ilangova... Tue, 04/14/2009 - 08:20

sorry for the confusion...let me try to clear it...

You are correct in your understanding...the Cisco ASA will only be the Hub...it will not have neither of the subnets locally...and i am just trying to pass the traffic from Tunnel A to Tunnel B...

Point A will have the subnet 192.168.1.0 as local subnet and Point B will have the subnet 10.1.1.0 as local subnet...

Correct Answer
Ivan Martinon Tue, 04/14/2009 - 08:29

Thought so, in that case your config is right, and you can avoid using routes on your asa since it should route based on it's default gateway, be sure to have the proper nonat rules in place and the same-security-interface permit inter-interface statement that you need.

Actions

This Discussion