Forwarding between VPN Tunnels in Cisco ASA

Answered Question
Apr 14th, 2009
User Badges:

Hi Experts,


i have a situation where I need to configure forwarding between two VPN Tunnels terminated in the same ASA box. One VPN Tunnel will carry the incoming traffic and this traffic needs to be sent down the other VPN Tunnel in the ASA. Both the VPN Tunnels are coming in from Internet and are talking to the same peer IP in the ASA.


To detail it,


Tunnel A

source: 192.168.1.0/25

Destination: 10.1.1.0/25

Local peer: 170.252.100.20 (ASA in question)

Remote Peer: 144.36.255.254


Tunnel B

Source: 192.168.1.0/25

Destination: 10.1.1.0/25

Local Peer IP: 170.252.100.20 (ASA box in question)

Remote Peer IP: 195.75.75.1


Can this be achieved? what configurations are needed in the ASA apart from the crypto ACL entries?


Thanks in advance for your time.

Correct Answer by Ivan Martinon about 8 years 2 months ago

Thought so, in that case your config is right, and you can avoid using routes on your asa since it should route based on it's default gateway, be sure to have the proper nonat rules in place and the same-security-interface permit inter-interface statement that you need.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Tue, 04/14/2009 - 06:34
User Badges:
  • Cisco Employee,

Are you saying that this tunnel should receive traffic say from tunnel a an forward the reply on tunnel B? If that is the case this is not possible, only one tunnel will be used at a time.

acomiskey Tue, 04/14/2009 - 07:22
User Badges:
  • Green, 3000 points or more

This is absolutely possible...but if I were you I would make the remote networks unique.

Ivan Martinon Tue, 04/14/2009 - 07:34
User Badges:
  • Cisco Employee,

For your specific scenario where both sources for tunnel A and B are the same, you can't unless you use some sort of NAT.

cannan.ilangova... Tue, 04/14/2009 - 07:53
User Badges:

how about this configuration for the scenario in question...


In the Cisco ASA where both the VPNs terminate..


interface G0/0

name Untrust

ip address 170.252.100.20 255.255.255.248


crypto map pointAToCiscoASA_Traffic extended permit ip 10.1.1.0 255.255.255.128 192.168.1.0 255.255.255.128


crypto map CiscoASAtopointB_Traffic extended permit ip 192.168.1.0 255.255.255.128 10.1.1.0 255.255.255.128


crypto map Untrust_map 1 match address pointAToCiscoASA_Traffic

crypto map Untrust_map 1 set peer 144.36.255.254

crypto map Untrust_map 1 set transform set ESP-3DES-MD5


crypto map Untrust_map 2 match address CiscoASAtopointB_Traffic

crypto map Untrust_map 2 set peer 195.75.75.1

crypto map Untrust_map 2 set transform set ESP-3DES-MD5


<-- This is the interesting part...I am routing the packets towards the Tunnels Remote Peer IPs. As the ASA will know to use the VPN Tunnels to reach the Peer IPs, I believe it will send the traffic down the appropriate VPN Tunels -->


route Untrust 10.1.1.0 255.255.255.128 195.75.75.1

route Untrust 192.168.1.0 255.255.255.128 144.36.255.254


tunnel-group 144.36.255.254 type l2l

tunnel-group 144.36.255.254 ipsec-attributes

pre-shared-key *


tunnel-group 195.75.75.1 type l2l

tunnel-group 195.75.75.1 ipsec-attributes

pre-shared-key *


Ivan Martinon Tue, 04/14/2009 - 08:03
User Badges:
  • Cisco Employee,

I am confused, are you saying that 192.168.1.0/24 and 10.1.1.0/25 are remote to the ASA? meaning the asa does not have any of those locally on any interface? So what you are trying to do is to pass from tunnelA to tunnelB using the ASA as a hub only?


Tell me something, in your scenario, both ip remote sites (A and B) have the same ip address? for example both have 192.168.1.0 or 10.1.1.0? or both have different ip addresses?

cannan.ilangova... Tue, 04/14/2009 - 08:20
User Badges:

sorry for the confusion...let me try to clear it...


You are correct in your understanding...the Cisco ASA will only be the Hub...it will not have neither of the subnets locally...and i am just trying to pass the traffic from Tunnel A to Tunnel B...


Point A will have the subnet 192.168.1.0 as local subnet and Point B will have the subnet 10.1.1.0 as local subnet...



Correct Answer
Ivan Martinon Tue, 04/14/2009 - 08:29
User Badges:
  • Cisco Employee,

Thought so, in that case your config is right, and you can avoid using routes on your asa since it should route based on it's default gateway, be sure to have the proper nonat rules in place and the same-security-interface permit inter-interface statement that you need.

Actions

This Discussion