×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5500 as an IPSec forwarder

Answered Question
Aug 3rd, 2012
User Badges:

Dear,


I want to use ASA B as a forwarder between ASA A and ASA C so that intranet A is connected securely from intranet C, something likes:

intranet A <-- ASA A --> internet <-- ASA B --> internet <-- ASA C --> intranet C

because connections between A and B and between B and C are good, but connections between A and C are bad.

I just completed the IPSec settings between A and B and between B and C, but how should I tell ASA A, B, and C to work like this?

thanks a lot.

Correct Answer by Karsten Iwen about 5 years 2 weeks ago

Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?

"same-security-traffic permit intra-interface"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Karsten Iwen Fri, 08/03/2012 - 05:10
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

In this scenario it's all about configuring the right IPSec-proxy-IDs (crypto-ACLs):


If A, B and C are the networks behind each ASA, then you need the following crypto ACLs:


ASA A:

access-list VPN-AtoB permit ip A B

access-list VPN-AtoB permit ip A C


ASA B:

access-list VPN-BtoA permit ip B A

access-list VPN-BtoA permit ip C A


access-list VPN-BtoC permit ip B C

access-list VPN-BtoC permit ip A C


ASA C:

access-list VPN-CtoB permit ip C B

access-list VPN-CtoB permit ip C A

nkarthikeyan Fri, 08/03/2012 - 05:12
User Badges:
  • Gold, 750 points or more

Hi Ling,


All you need is to allow the VPN traffic between A and C. As i can say you need to permit the VPN Ports bidirectional. Since ASA A to ASA C via ASA B and ASA C to ASA A via ASA B. So for example. If ASA A is trying for a IPSEC traffic with ASA C on ports udp500,4500 then ASA B should not block anything to allow the IPSEC traffic. If it is blocking... then there will be an issue...


Please do rate if the given information helps.


By


Karthik

gamecompany Fri, 08/03/2012 - 06:37
User Badges:

Thanks for all answers, but it is not working


the common setting on all ASAs are

object-group network intra_asa550530

network-object 192.168.30.0 255.255.255.0

object-group network intra_asa550550

network-object 192.168.50.0 255.255.255.0

object-group network intra_asa550570

network-object 192.168.70.0 255.255.255.0


and the settings on ASA A(50)

access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550530

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 1.1.30.5

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside


on ASA B(30, the forwarder)

access-list encrypt_acl50 extended permit ip object-group intra_asa550530 object-group intra_asa550550

access-list encrypt_acl70 extended permit ip object-group intra_asa550530 object-group intra_asa550570

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 50 match address encrypt_acl50

crypto map IPSec_map 50 set peer 1.1.50.5

crypto map IPSec_map 50 set transform-set myset

crypto map IPSec_map 70 match address encrypt_acl70

crypto map IPSec_map 70 set peer 1.1.70.5

crypto map IPSec_map 70 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside


on ASA C(70)

access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550530


crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 1.1.30.5

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside


I can ping from B to A and B to C by these settings, then I add the following:

on ASA A(50), allow from A to C

access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550570


on ASA B(30, the forwarder), allow from C to A and from A to C

access-list encrypt_acl50 extended permit ip object-group intra_asa550570 object-group intra_asa550550


access-list encrypt_acl70 extended permit ip object-group intra_asa550550 object-group intra_asa550570


on ASA C(70) allow from C to A

access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550550


but it is still not working

Correct Answer
Karsten Iwen Fri, 08/03/2012 - 06:48
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?

"same-security-traffic permit intra-interface"

gamecompany Sun, 08/05/2012 - 20:39
User Badges:

Thanks karsten!! the trick is same-security-traffic permit intra-interface!!

Actions

This Discussion

Related Content