Hi Jouni, hope all is well my friend.

All three sites have public addressing with WAN access; the reason for using Site A for internet is a management decision, because Site A has a 50 Meg pipe.

The equipment will arrive next week for all three sites, I'm working on the configs for each ASA for the site-to-site VPN, while working on the configs was hoping you know what I need to add, we have this ready to apply when the equipment arrives, allows us to ship the equipment to the remote site.

As you can see we have never done this before to bring WAN traffic back through the LAN VPN site-to-site. I'm still waiting on our ISP to bring the fiber into the MDF room and give the public IP's for the two remote sites.

I have everything we need for Site A our primary location, to include the internet switch, ASA 5505, along with the users.

I'm not sure how to make this work and the more information you give will help very much

Thank you

Hi,

I am just wondering what the reasoning to have all traffic go through the central firewall unless there is something on the Central Site through which every outbound connection should pass through. The traffic from the Remote Sites through the Central Site to the external networks will naturally consume a lot of the bandwith of the Central Site so thats something to consider.

If I were to give partial example configurations for all the 3 sites then the NAT and VPN configurations could look like this (I presume a 8.4 or above software level)

Base Information

• 3 Sites
• Central Site = 10.10.10.0/24
• Remote Site 1 = 10.10.20.0/24
• Remote Site 2 = 10.10.30.0/24
• Site 1 Public IP = 1.1.1.1
• Site 2 Public IP = 2.2.2.2
• Site 3 Public IP = 3.3.3.3
• External Interface = outside (on each site)
• Internal Interface = inside (on each site)

CENTRAL SITE

• We create ACLs for the Remote Site L2L VPN which define that traffic from "any" source address will/can be forwarded to the Remote Site
• We configure "object" for the networks and configure NAT0 for the Central to Remote traffic
• We configure Dynamic PAT for the Remote Sites Internet traffic that comes through L2L VPN
• We configure L2L VPN

access-list REMOTE-ONE-L2LVPN remark Encryption Domain for Remote Site 1

access-list REMOTE-ONE-L2LVPN permit ip any 10.10.20.0 255.255.255.0

access-list REMOTE-TWO-L2LVPN remark Encryption Domain for Remote Site 2

access-list REMOTE-TWO-L2LVPN permit ip any 10.10.30.0 255.255.255.0

object network CENTRAL-SITE

subnet 10.10.10.0 255.255.255.0

object network REMOTE-ONE

subnet 10.10.20.0 255.255.255.0

object network REMOTE-TWO

subnet 10.10.30.0 255.255.255.0

nat (inside,outside) source static CENTRAL-SITE CENTRAL-SITE destination static REMOTE-ONE REMOTE-ONE

nat (inside,outside) source static CENTRAL-SITE CENTRAL-SITE destination static REMOTE-TWO REMOTE-TWO

object network REMOTE-ONE-PAT

subnet 10.10.20.0 255.255.255.0

nat (outside,outside) dynamic interface

object network REMOTE-TWO-PAT

subnet 10.10.30.0 255.255.255.0

nat (outside,outside) dynamic interface

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map CRYPTOMAP 1 match address REMOTE-ONE-L2LVPN

crypto map CRYPTOMAP 1 set peer 2.2.2.2

crypto map CRYPTOMAP 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map CRYPTOMAP 1 set reverse-route

crypto map CRYPTOMAP 2 match address REMOTE-TWO-L2LVPN

crypto map CRYPTOMAP 2 set peer 3.3.3.3

crypto map CRYPTOMAP 2 set ikev1 transform-set ESP-AES-256-SHA

crypto map CRYPTOMAP 2 set reverse-route

crypto map CRYPTOMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

ikev1 pre-shared-key

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 ipsec-attributes

ikev1 pre-shared-key

REMOTE SITE ONE/TWO

• Example configurations that can be applied to both Remote Sites
• If requirement is truly that ALL traffic from the Remote Sites should head through the Central Site then you essentially dont need any NAT configurations on the Remote Sites ASAs since all traffic should show up on the Central Site without NAT since the Central Site would do the NAT towards the external/public networks

access-list CENTRAL-SITE-L2LVPN remark Encryption Domain for Main Site L2LVPN

access-list CENTRAL-SITE-L2LVPN permit ip 255.255.255.0 any

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map CRYPTOMAP 1 match address CENTRAL-SITE-L2LVPN

crypto map CRYPTOMAP 1 set peer 1.1.1.1

crypto map CRYPTOMAP 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map CRYPTOMAP 1 set reverse-route

crypto map CRYPTOMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key

The above are some very general examples. The situation is problematic for the Remote Sites because their configurations would probably DROP all traffic until the L2L VPN is up. So they will probably work only as soon as the whole setup between Central and Remote are finalized.

Hope this helps

- Jouni

Hi,

The Internet traffic from Remote Sites will only be tunneled to the L2L VPN connection if we use "any" as the destination address in the Crypto ACL since we cant really know all the public destination networks for which traffic should be tunneled to the L2L VPN between Remote and Central.

I imagine if its just web traffic then it could be handled with a Proxy on the Central Site to which the hosts on Remote Sites would connect to?

I am not sure if anything could be done with other type of traffic towards the external networks? I can't comment on that myself.

- Jouni

No need for a proxy, unless web filtering is required.  Just good ol' hairpinning and NAT.

Hi,

But how are you going to get the Internet bound traffic from the Remote Site to the Central Site through the L2L VPN connection if we were NOT using "any" as the destination address/network for the tunneled traffic? If we didnt use "any" the local Remote Site ASA would simply pass the traffic through its local WAN link and not forward it to the VPN.

- Jouni

Please reread my original post.  I mention that we need to be sure that all traffic is being tunneld from site B and C.

Ah, Probably understood your earlier posts wrong (not the original). I thought you meant that there was something in the earlier configurations I posted that was not needed?

I just listed the partial configurations as it was mentioned that the user didnt have any of the remote sites equipment and connectivity yet so there was nothing set up yet.

- Jouni

Though,

If the situation was so that Internet traffic from the Remote Site clients would not need to go through the L2L VPN and through the Central Site BUT the requirement was to be able to host services from the Remote Sites through the Central Site then we could do Dynamic PAT for all the Internet source addresses on the Central Site so the Remote Site server would only see traffic coming from one source address and therefore we could define the Crypto ACL easily also.

- Jouni

Hi,

We are required to bring all connections from the two remote sites, Site-B, Site-C to the Primary site being A, we have multiple reasons with one being web filtering, all three sites are one company separated by distance. They are Financial Banking sites that require more security that our primary site will handle after we bring all traffic to Site-A.

Founi - thanks for the examples for doing this, will help me configure the ASA firewalls when they arrive.

Thank you all for giving input on how to make this work - really appreciate that.

Jouni,

After reading what you sent for example config I see no routing for either Site-B or Site-C will this not be required for either site, I know we need this at Sit-A  as listed  - route outside 0.0.0.0 0.0.0.0 98.101.202.1 1

Thank you