Solved: ASA 5500 as an IPSec forwarder

gamecompany · ‎08-03-2012

Dear,

I want to use ASA B as a forwarder between ASA A and ASA C so that intranet A is connected securely from intranet C, something likes:

intranet A <-- ASA A --> internet <-- ASA B --> internet <-- ASA C --> intranet C

because connections between A and B and between B and C are good, but connections between A and C are bad.

I just completed the IPSec settings between A and B and between B and C, but how should I tell ASA A, B, and C to work like this?

thanks a lot.

Karsten Iwen · ‎08-03-2012

Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?

"same-security-traffic permit intra-interface"

View solution in original post

Karsten Iwen · ‎08-03-2012

In this scenario it's all about configuring the right IPSec-proxy-IDs (crypto-ACLs):

If A, B and C are the networks behind each ASA, then you need the following crypto ACLs:

ASA A:

access-list VPN-AtoB permit ip A B

access-list VPN-AtoB permit ip A C

ASA B:

access-list VPN-BtoA permit ip B A

access-list VPN-BtoA permit ip C A

access-list VPN-BtoC permit ip B C

access-list VPN-BtoC permit ip A C

ASA C:

access-list VPN-CtoB permit ip C B

access-list VPN-CtoB permit ip C A

nkarthikeyan · ‎08-03-2012

Hi Ling,

All you need is to allow the VPN traffic between A and C. As i can say you need to permit the VPN Ports bidirectional. Since ASA A to ASA C via ASA B and ASA C to ASA A via ASA B. So for example. If ASA A is trying for a IPSEC traffic with ASA C on ports udp500,4500 then ASA B should not block anything to allow the IPSEC traffic. If it is blocking... then there will be an issue...

Please do rate if the given information helps.

By

Karthik

gamecompany · ‎08-03-2012

Thanks for all answers, but it is not working

the common setting on all ASAs are

object-group network intra_asa550530

network-object 192.168.30.0 255.255.255.0

object-group network intra_asa550550

network-object 192.168.50.0 255.255.255.0

object-group network intra_asa550570

network-object 192.168.70.0 255.255.255.0

and the settings on ASA A(50)

access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550530

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 1.1.30.5

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

on ASA B(30, the forwarder)

access-list encrypt_acl50 extended permit ip object-group intra_asa550530 object-group intra_asa550550

access-list encrypt_acl70 extended permit ip object-group intra_asa550530 object-group intra_asa550570

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 50 match address encrypt_acl50

crypto map IPSec_map 50 set peer 1.1.50.5

crypto map IPSec_map 50 set transform-set myset

crypto map IPSec_map 70 match address encrypt_acl70

crypto map IPSec_map 70 set peer 1.1.70.5

crypto map IPSec_map 70 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

on ASA C(70)

access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550530

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 1.1.30.5

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

I can ping from B to A and B to C by these settings, then I add the following:

on ASA A(50), allow from A to C

access-list encrypt_acl extended permit ip object-group intra_asa550550 object-group intra_asa550570

on ASA B(30, the forwarder), allow from C to A and from A to C

access-list encrypt_acl50 extended permit ip object-group intra_asa550570 object-group intra_asa550550

access-list encrypt_acl70 extended permit ip object-group intra_asa550550 object-group intra_asa550570

on ASA C(70) allow from C to A

access-list encrypt_acl extended permit ip object-group intra_asa550570 object-group intra_asa550550

but it is still not working

Karsten Iwen · ‎08-03-2012

Do you have routing-entries for all remote-networks in place? Has the ASA B hairpinning enabled?

"same-security-traffic permit intra-interface"

gamecompany · ‎08-05-2012

Thanks karsten!! the trick is same-security-traffic permit intra-interface!!