Cascaded VPN

Unanswered Question
Oct 3rd, 2010
User Badges:


I have two networks to connect via VPN as of this picture:


The rules are:

Client on LAN A must be able to connect to server on LAN C

Making a VPN between Firewall A and Firewall B is not a problem

Client must not connect to any host on LAN B, except for the outside interface of Firewall C.

How can I setup such a system, considering that I have control on all the three firewalls?

I've thought to make a VPN between Firewall A and B, then a VLAN between Firewall B and Firewall C.

Is there any better way to do that?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jitendriya Athavale Sun, 10/03/2010 - 10:19
User Badges:
  • Cisco Employee,

tht should not be a problem at all

just terminate the vpn on site b firewall, keep the interesting traffic(crypto acl) as from net a to net c or net a to patted ip of net c on firewall c

within net c if you do not want few hosts to access net a you can use vpn filter or deny them is nat exempt as you cannot have a deny in crypto acl

eg ------- A ------- B ------- C

vpn traffic - from to on site a firewall

vpn traffic - from to on site b firewall

if you want the access to be for a natted host on firewall c use that instead of in vpn traffic

hope this helps

Namit Agarwal Sun, 10/03/2010 - 10:51
User Badges:
  • Cisco Employee,

Hi ,

I am assuming that the connectivity from Firewall B to LAN C is established, the Firewall B has routes for LAN C. Now we can establish a tunnel between Firewall A and Firewall B and the interesting traffic for this tunnel will be between A and C. On Firewall A the interesting traffic for the tunnel will be A to C and on the Firewall B the interesting traffic will be C to A. So now when on A side we initiate traffic for destination C it goes into the tunnel. If we initiate traffic for destination B the traffic will not go into the tunnel and A LAN cannot access B LAN.




This Discussion