Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

how to access VPN by headquarter

Hello all

I have a VPN IPsec branch1 connected to my headquarter. It woks fine.

I have a VPN IPsec branch2 connected to my headquarter. It works fine.

I need to connect my branch1 to my branch2 using my headquarter.

Is it possible? How can I do it? Look the attach.

Thanks anyway,

Diego

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: how to access VPN by headquarter

Hi Diego,

Topology:

                                    A

Site B  -------------------  Site A

B

                                   |

                                   |

                                   |

                              Site C

                                  C

Tunnel from B to A (included in the crypto ACL):

From B to A

From B to C

Tunnel from Site A to B (included in the crypto ACL):

From A to B

From C to B

*******************************************************

Tunnel from Site C to A (included in the crypto ACL):

From C to A

From C to B

Tunnel from Site A to C (included in the crypto ACL):

From A to C

From B to C

On the ASA site A, please add the "same-security-traffic permit intra-interface". You will have a NAT exemption from A to B and from A to B. No need to deal with NAT on the outside.

On the ASA site B, you will have a NAT exemption from B to A and from B to C.

On the ASA site C, you will have a NAT exemption from C to A and from C to B.

Let me know if you have any questions.

* Please rate any post that you find helpful.

Re: how to access VPN by headquarter

Dear Diego,

Here I already have tunnel B to A, so I just need to insert the network C in the Remote Network, right? YES

Here I already have tunnel A to B, so I just need to insert the network C in the Local Network, right? YES

Here I already have tunnel C to A, so I just need to insert the network B in the Remote Network, right? YES

Here I already have tunnel A to C, so I just need to insert the network B in the Local Network, right? YES

I have this option checked on ASA Site A -> PERFECT

These Exemption will be created automatically, right? IF YOU USE THE WIZARD, YES, OTHERWISE, MANUALLY.

I hope it answers your questions

* Please rate any post that you find helpful.

5 REPLIES

Re: how to access VPN by headquarter

Hi Diego,

Topology:

                                    A

Site B  -------------------  Site A

B

                                   |

                                   |

                                   |

                              Site C

                                  C

Tunnel from B to A (included in the crypto ACL):

From B to A

From B to C

Tunnel from Site A to B (included in the crypto ACL):

From A to B

From C to B

*******************************************************

Tunnel from Site C to A (included in the crypto ACL):

From C to A

From C to B

Tunnel from Site A to C (included in the crypto ACL):

From A to C

From B to C

On the ASA site A, please add the "same-security-traffic permit intra-interface". You will have a NAT exemption from A to B and from A to B. No need to deal with NAT on the outside.

On the ASA site B, you will have a NAT exemption from B to A and from B to C.

On the ASA site C, you will have a NAT exemption from C to A and from C to B.

Let me know if you have any questions.

* Please rate any post that you find helpful.

Re: how to access VPN by headquarter

Hi Javier. Thanks for your answer..

Let me see if I understood. I wrote my doubts with underline

Tunnel from B to A (included in the crypto ACL):

From B to A

From B to C

Here I already have tunnel B to A, so I just need to insert the network C in the Remote Network, right?

Tunnel from Site A to B (included in the crypto ACL):

From A to B

From C to B

Here I already have tunnel A to B, so I just need to insert the network C in the Local Network, right?

Tunnel from Site C to A (included in the crypto ACL):

From C to A

From C to B

Here I already have tunnel C to A, so I just need to insert the network B in the Remote Network, right?

Tunnel from Site A to C (included in the crypto ACL):

From A to C

From B to C

Here I already have tunnel A to C, so I just need to insert the network B in the Local Network, right?

On the ASA site A, please add the "same-security-traffic permit intra-interface". You will have a NAT exemption from A to B and from A to B. No need to deal with NAT on the outside.

I have this option checked on ASA Site A

On the ASA site B, you will have a NAT exemption from B to A and from B to C.

On the ASA site C, you will have a NAT exemption from C to A and from C to B.

These Exemption will be created automatically, right?

Thanks

Re: how to access VPN by headquarter

Dear Diego,

Here I already have tunnel B to A, so I just need to insert the network C in the Remote Network, right? YES

Here I already have tunnel A to B, so I just need to insert the network C in the Local Network, right? YES

Here I already have tunnel C to A, so I just need to insert the network B in the Remote Network, right? YES

Here I already have tunnel A to C, so I just need to insert the network B in the Local Network, right? YES

I have this option checked on ASA Site A -> PERFECT

These Exemption will be created automatically, right? IF YOU USE THE WIZARD, YES, OTHERWISE, MANUALLY.

I hope it answers your questions

* Please rate any post that you find helpful.

New Member

how to access VPN by headquarter

Hi Javier,

Perfect.

Lets make it difficult? heeheh

Well, difficult to me, not for you

How can I do the same, B to C using A? But:

- I can´t make changes in my site C. It is impossible, ok?. No reason specified.

One point:

I use NAT to all traffic A to C. So, when I access network 10.0.0.0/24(Site C) I use the IP 172.20.0.8(NAT for Site A)

Thanks again

Diego

Re: how to access VPN by headquarter

Hi Diego,

We need to modify the crypto ACL on C, otherwise it will always point to A (so any other SA will not be built).

Unfortunately I do not think it would be possible without changing the crypto settings or even the NAT rules for this specific tunnel on ASA C.

Let me know what your thoughts are.

Thanks.

Please rate any post you find helpful.

335
Views
0
Helpful
5
Replies
作成コンテンツを作成するには してください