×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

L - L VPN routing via alternative tunnel.. mesh?

Answered Question
Nov 1st, 2013
User Badges:

Hi All


We have an L - L IPSEC tunnel  between our head office and a hosting company, all works well, solid as a rock. However we now have a requirement for one of our branch offices to also run a tunnel to the hosting company, however for reasons of cost and control it has been decided that the branch office will route via the head office...


We also have a running IPSEC tunnel between the head and branch office so all we need to get the whole thing running is to get the branch office to route to the hosting company via the head office and were done.


Would this be considered as a full mesh but with one of the links removed (branch to hosting), or a hybrid of some sort? BTW both head office and branch run Cisco ASA5550 and 5515 repectively and we have full  control over these devices, the hosting company I'm not so sure but may be an ASA..


Any advice or links to documentation would be greatly appreciated...

Correct Answer by Jouni Forss about 3 years 9 months ago

Hi,


Glad to hear its working now


- Jouni

Correct Answer by Jouni Forss about 3 years 9 months ago

Hi,


Well I am not sure how you have set up the NAT configuration for the traffic between Branch and Hosting.


It would sound according to the above that you are actually adding the actual Branch network to the Head Office to Hosting L2L VPN? If this is true then you would require a NAT configuration on the Head Office that is between "outside" and "outside". In other words a NAT0 configuration for the "outside" interface. (My original suggesting was to do Dynamic PAT for Branch if you wanted to avoid changes to configuration on the Hosting Site)


That would probably be something I would check first.


If that is fine then I would check the VPN Counters


Do this for both of the L2L VPN Connections


show crypto ipsec sa peer


This should show you if the L2L VPN has negotiated for the Branch and Hosting networks on both L2L VPN Connections. This would also tell you if packets are flowing in both directions.


If the problem is outside of your network then at the Head Office you would probably see only decapsulated/decrypted packets for the Head Office - Branch Office L2L VPN and only encapsulated/encrypted packets for the Head Office - Hosting Site L2L VPN


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jouni Forss Fri, 11/01/2013 - 09:03
User Badges:
  • Super Bronze, 10000 points or more

Hi,


This should not be that hard to implement.


The main question here for us is the whether you want to add this Branch Office to the L2L VPN connection between the Head Office to Hosting Company WITHOUT changing or adding any setting to the existing connection?


If this is the case you have the option to configure a NAT so that the Hosting Site side of the L2L VPN connection wont need any additional configurations and you should still be able to connect to the Hosting Site from the Branch Site without a problem. I am imagine most if not all connections through these L2L VPN connections are initiated by your site and not the Hosting Site?


If your willing to show us some configurations on the Branch Site and Head Office ASAs I am pretty sure we can get this working in the next hour or so even


Essentially the steps would be

  • Add the Hosting Site network to the Head Office <-> Branch Office L2L VPN configuration Encryption Domain (Crypto Map ACL)
  • From the existing source subnet of Head Office - Hosting Company L2L VPN choose one IP address that is not used by any device and will not be used by any device.
  • Configure a Dynamic Policy PAT which will essentially PAT all traffic coming from the Branch Office to the Head Office when the connections destination address is part of the Hosting Site network
  • Configure or make sure you have configured "same-security-traffic permit intra-interface" which will enable the traffic from the Branch Office to enter and leave through the same interface (traffic coming from one L2L VPN and entering another L2L VPN)


Those are the main steps. If the above is the setup you are going for then if we could see the configurations (minus sensitive information) this shouldnt be hard to implement.


Hope this helps


- Jouni

robheaplogin Mon, 11/04/2013 - 02:31
User Badges:

Hi There


Making changes to any of the firewalls is isnt a problem at all, we can access the head office ASA directly, the branch office ASA via remote PC (its sits behind a second layer of NAT so cannot be accessed vis SSH etc), and the hosting fw just requires that we inform the hosting company who can make any required changes usually within the hour.


I have already added the hosting network to the head <-> branch office and the branch office network to the head <-> hosting company L - L.


same-security-traffic permit intra-interface has already been enabled as we have a client VPN that enter and exits via the same interface.


All looks ok, both tunnels come up within a ping and were not seeing any problems with traffic traversing withinn the tunnels however the branch <-> hosting company traffic is failing.


Ill get the configs off shortly but in the meantime is there something obvious weve missed?


Rob

Correct Answer
Jouni Forss Mon, 11/04/2013 - 02:40
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Well I am not sure how you have set up the NAT configuration for the traffic between Branch and Hosting.


It would sound according to the above that you are actually adding the actual Branch network to the Head Office to Hosting L2L VPN? If this is true then you would require a NAT configuration on the Head Office that is between "outside" and "outside". In other words a NAT0 configuration for the "outside" interface. (My original suggesting was to do Dynamic PAT for Branch if you wanted to avoid changes to configuration on the Hosting Site)


That would probably be something I would check first.


If that is fine then I would check the VPN Counters


Do this for both of the L2L VPN Connections


show crypto ipsec sa peer


This should show you if the L2L VPN has negotiated for the Branch and Hosting networks on both L2L VPN Connections. This would also tell you if packets are flowing in both directions.


If the problem is outside of your network then at the Head Office you would probably see only decapsulated/decrypted packets for the Head Office - Branch Office L2L VPN and only encapsulated/encrypted packets for the Head Office - Hosting Site L2L VPN


- Jouni

robheaplogin Mon, 11/11/2013 - 06:23
User Badges:

Hi There


You're quite correct, it was the NAT0 that was missing. Now this NAT entry has been created we have traffic flow from Branche > Hosting site.


Many thank for all your help with this.


Rob

Correct Answer
Jouni Forss Mon, 11/11/2013 - 06:29
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Glad to hear its working now


- Jouni

Actions

This Discussion