08-03-2012 03:58 AM - edited 02-21-2020 06:14 PM
Dear,
I want to use ASA B as a forwarder between ASA A and ASA C so that intranet A is connected securely from intranet C, something likes:
intranet A <-- ASA A --> internet <-- ASA B --> internet <-- ASA C --> intranet C
because connections between A and B and between B and C are good, but connections between A and C are bad.
I just completed the IPSec settings between A and B and between B and C, but how should I tell ASA A, B, and C to work like this?
thanks a lot.
Solved! Go to Solution.
08-03-2012 06:48 AM
Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?
"same-security-traffic permit intra-interface"
08-03-2012 05:10 AM
In this scenario it's all about configuring the right IPSec-proxy-IDs (crypto-ACLs):
If A, B and C are the networks behind each ASA, then you need the following crypto ACLs:
ASA A:
access-list VPN-AtoB permit ip A B
access-list VPN-AtoB permit ip A C
ASA B:
access-list VPN-BtoA permit ip B A
access-list VPN-BtoA permit ip C A
access-list VPN-BtoC permit ip B C
access-list VPN-BtoC permit ip A C
ASA C:
access-list VPN-CtoB permit ip C B
access-list VPN-CtoB permit ip C A
08-03-2012 05:12 AM
Hi Ling,
All you need is to allow the VPN traffic between A and C. As i can say you need to permit the VPN Ports bidirectional. Since ASA A to ASA C via ASA B and ASA C to ASA A via ASA B. So for example. If ASA A is trying for a IPSEC traffic with ASA C on ports udp500,4500 then ASA B should not block anything to allow the IPSEC traffic. If it is blocking... then there will be an issue...
Please do rate if the given information helps.
By
Karthik
08-03-2012 06:37 AM
Thanks for all answers, but it is not working
the common setting on all ASAs are
object-group network intra_asa550530
network-object 192.168.30.0 255.255.255.0
object-group network intra_asa550550
network-object 192.168.50.0 255.255.255.0
object-group network intra_asa550570
network-object 192.168.70.0 255.255.255.0
and the settings on ASA A(50)
access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550530
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 1.1.30.5
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
on ASA B(30, the forwarder)
access-list encrypt_acl50 extended permit ip object-group intra_asa550530 object-group intra_asa550550
access-list encrypt_acl70 extended permit ip object-group intra_asa550530 object-group intra_asa550570
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSec_map 50 match address encrypt_acl50
crypto map IPSec_map 50 set peer 1.1.50.5
crypto map IPSec_map 50 set transform-set myset
crypto map IPSec_map 70 match address encrypt_acl70
crypto map IPSec_map 70 set peer 1.1.70.5
crypto map IPSec_map 70 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
on ASA C(70)
access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550530
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 1.1.30.5
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
I can ping from B to A and B to C by these settings, then I add the following:
on ASA A(50), allow from A to C
access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550570
on ASA B(30, the forwarder), allow from C to A and from A to C
access-list encrypt_acl50 extended permit ip object-group intra_asa550570 object-group intra_asa550550
access-list encrypt_acl70 extended permit ip object-group intra_asa550550 object-group intra_asa550570
on ASA C(70) allow from C to A
access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550550
but it is still not working
08-03-2012 06:48 AM
Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?
"same-security-traffic permit intra-interface"
08-05-2012 08:39 PM
Thanks karsten!! the trick is same-security-traffic permit intra-interface!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide