Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
558
Views
5
Helpful
5
Replies

L - L VPN routing via alternative tunnel.. mesh?

Go to solution
robheaplogin
Level 1
Level 1

ā€Ž11-01-2013 08:49 AM

Hi All

We have an L - L IPSEC tunnel  between our head office and a hosting company, all works well, solid as a rock. However we now have a requirement for one of our branch offices to also run a tunnel to the hosting company, however for reasons of cost and control it has been decided that the branch office will route via the head office...

We also have a running IPSEC tunnel between the head and branch office so all we need to get the whole thing running is to get the branch office to route to the hosting company via the head office and were done.

Would this be considered as a full mesh but with one of the links removed (branch to hosting), or a hybrid of some sort? BTW both head office and branch run Cisco ASA5550 and 5515 repectively and we have full  control over these devices, the hosting company I'm not so sure but may be an ASA..

Any advice or links to documentation would be greatly appreciated...

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to robheaplogin

ā€Ž11-04-2013 02:40 AM

Hi,

Well I am not sure how you have set up the NAT configuration for the traffic between Branch and Hosting.

It would sound according to the above that you are actually adding the actual Branch network to the Head Office to Hosting L2L VPN? If this is true then you would require a NAT configuration on the Head Office that is between "outside" and "outside". In other words a NAT0 configuration for the "outside" interface. (My original suggesting was to do Dynamic PAT for Branch if you wanted to avoid changes to configuration on the Hosting Site)

That would probably be something I would check first.

If that is fine then I would check the VPN Counters

Do this for both of the L2L VPN Connections

show crypto ipsec sa peer

This should show you if the L2L VPN has negotiated for the Branch and Hosting networks on both L2L VPN Connections. This would also tell you if packets are flowing in both directions.

If the problem is outside of your network then at the Head Office you would probably see only decapsulated/decrypted packets for the Head Office - Branch Office L2L VPN and only encapsulated/encrypted packets for the Head Office - Hosting Site L2L VPN

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to robheaplogin

ā€Ž11-11-2013 06:29 AM

Hi,

Glad to hear its working now

- Jouni

View solution in original post

5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

ā€Ž11-01-2013 09:03 AM

Hi,

This should not be that hard to implement.

The main question here for us is the whether you want to add this Branch Office to the L2L VPN connection between the Head Office to Hosting Company WITHOUT changing or adding any setting to the existing connection?

If this is the case you have the option to configure a NAT so that the Hosting Site side of the L2L VPN connection wont need any additional configurations and you should still be able to connect to the Hosting Site from the Branch Site without a problem. I am imagine most if not all connections through these L2L VPN connections are initiated by your site and not the Hosting Site?

If your willing to show us some configurations on the Branch Site and Head Office ASAs I am pretty sure we can get this working in the next hour or so even

Essentially the steps would be

  • Add the Hosting Site network to the Head Office <-> Branch Office L2L VPN configuration Encryption Domain (Crypto Map ACL)
  • From the existing source subnet of Head Office - Hosting Company L2L VPN choose one IP address that is not used by any device and will not be used by any device.
  • Configure a Dynamic Policy PAT which will essentially PAT all traffic coming from the Branch Office to the Head Office when the connections destination address is part of the Hosting Site network
  • Configure or make sure you have configured "same-security-traffic permit intra-interface" which will enable the traffic from the Branch Office to enter and leave through the same interface (traffic coming from one L2L VPN and entering another L2L VPN)

Those are the main steps. If the above is the setup you are going for then if we could see the configurations (minus sensitive information) this shouldnt be hard to implement.

Hope this helps

- Jouni

0 Helpful

Go to solution
robheaplogin
Level 1
Level 1
In response to Jouni Forss

ā€Ž11-04-2013 02:31 AM

Hi There

Making changes to any of the firewalls is isnt a problem at all, we can access the head office ASA directly, the branch office ASA via remote PC (its sits behind a second layer of NAT so cannot be accessed vis SSH etc), and the hosting fw just requires that we inform the hosting company who can make any required changes usually within the hour.

I have already added the hosting network to the head <-> branch office and the branch office network to the head <-> hosting company L - L.

same-security-traffic permit intra-interface has already been enabled as we have a client VPN that enter and exits via the same interface.

All looks ok, both tunnels come up within a ping and were not seeing any problems with traffic traversing withinn the tunnels however the branch <-> hosting company traffic is failing.

Ill get the configs off shortly but in the meantime is there something obvious weve missed?

Rob

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to robheaplogin

ā€Ž11-04-2013 02:40 AM

Hi,

Well I am not sure how you have set up the NAT configuration for the traffic between Branch and Hosting.

It would sound according to the above that you are actually adding the actual Branch network to the Head Office to Hosting L2L VPN? If this is true then you would require a NAT configuration on the Head Office that is between "outside" and "outside". In other words a NAT0 configuration for the "outside" interface. (My original suggesting was to do Dynamic PAT for Branch if you wanted to avoid changes to configuration on the Hosting Site)

That would probably be something I would check first.

If that is fine then I would check the VPN Counters

Do this for both of the L2L VPN Connections

show crypto ipsec sa peer

This should show you if the L2L VPN has negotiated for the Branch and Hosting networks on both L2L VPN Connections. This would also tell you if packets are flowing in both directions.

If the problem is outside of your network then at the Head Office you would probably see only decapsulated/decrypted packets for the Head Office - Branch Office L2L VPN and only encapsulated/encrypted packets for the Head Office - Hosting Site L2L VPN

- Jouni

0 Helpful

Go to solution
robheaplogin
Level 1
Level 1
In response to Jouni Forss

ā€Ž11-11-2013 06:23 AM

Hi There

You're quite correct, it was the NAT0 that was missing. Now this NAT entry has been created we have traffic flow from Branche > Hosting site.

Many thank for all your help with this.

Rob

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to robheaplogin

ā€Ž11-11-2013 06:29 AM

Hi,

Glad to hear its working now

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents