Hi Marius,

Thank you for your response.  As for split-tunneling, we do have it configured on the "Hub" ASA.  The two remote sites are with 3rd party providers, Site1 being MS Azure VM and Site2 being a hosted VM by a 3rd party.  I also, need to throw in a Site3 which is one of our branch offices, also using an ASA, needs to access Site1.  Both Central site and Site3 use default routing.  I will have to check with Site1 and Site2.  

To sum up your steps, I need to create policy on each site that says any traffic from this site destined to another site needs to go through the VPN tunnel to the Hub ASA and do not Nat correct?  And on the Hub ASA, i need to create two policies for each site that needs to go through it to the other and no NAT?  

To achieve twice NAT/NAT exempt on ASA 8.4, is that creating nat (outside, outside) deny source destination?  Or do I permit that and set translation as source original destination original?

Hi,

(outside,outside) nat should permited.

make sure in the crypto ACLs you add (host a to host b), miror on remote site. and on site b crypto ACL( host b and host a) mirror on the remote peer of this site.

-Altaf

To update on everyone on this.  I've got this working in a lab environment where i'm using two ASA 5505's running 8.4(7) base as HubASA1 and Site1, one Cisco 1721 running IOS 12.4 as Site2 and one Cisco 2611XM running IOS 12.4 as the "internet router".  I'm able to ping and RDP a host in Site2 from a host in Site1, and vice versa.  The problem I'm having now is replicating this to a running production environment that already has other config setup.  

The production environment consists of an ASA 5510 running 8.4(7) base as the HubASA, one Cisco 5505 running 8.2, as Site1, Microsoft Azure VM as Site2 and a Windows VM being hosted by at 3rd party as Site3.  All three sites have an S2S IPSec VPN tunnel to the HubASA.

The requirements are:

1. Site1 needs access to the Site2 (Azure VM), Azure VM needs access to the Site1 network.

2. Site2 (Azure VM) needs access to VMs on Site3 and the reverse.

Proposed Config (This is where I would like advice or correction)

HubASA, Site1 and Site2 are all configured with a default route.  No other routing is configured.

For Req#1-

On the HubASA, do I configure a new crypto map that selects traffic from Site1 to Site2 and protect the traffic and set the peer to Site2 public IP or do I just add this traffic selection to the existing crypto map for the existing tunnel between HubASA and Site2? 

HubASA to be configured with IdentityNAT with nat (outside,outside) source Site1 destination Site2 no-proxy-arp route-lookup (reverse for Site2 to Site1 traffic)

Site1 ASA to be configure with a crypto map that selects traffic destined to Site 2, to protect it and permit it through the tunnel with the HubASA.

For Req#2 -

HubASA to be configured similar to above but for Site2 to Site3 traffic

Site3 has the access-lists defined below to allow traffic from the Azure VM (10.4.0.0/16, 172.16.0.0/16) network to the 3rd party VM network.

ip access-list extended linium-net

 permit ip 10.1.10.0 0.0.0.255 10.4.0.0 0.0.255.255

 permit ip 10.1.12.0 0.0.0.255 10.4.0.0 0.0.255.255

 permit ip 10.2.13.0 0.0.0.255 10.4.0.0 0.0.255.255

 permit ip 10.2.14.0 0.0.0.255 10.4.0.0 0.0.255.255

 permit ip 10.1.10.0 0.0.0.255 172.16.0.0 0.0.15.255

 permit ip 10.1.12.0 0.0.0.255 172.16.0.0 0.0.15.255

 permit ip 10.2.13.0 0.0.0.255 172.16.0.0 0.0.15.255

 permit ip 10.2.14.0 0.0.0.255 172.16.0.0 0.0.15.255

What could I be missing that is not allowing traffic from any site through the HubASA to another site?  

Ok, a quick update.  I am implementing the above suggestions in our production environment and I've configured the Hub site and Site 1 as below.  When I run the packet tracer in ASDM, the ACL and NAT rules fail and I am not able to RDP to the VM in Site 2 from Site 1.  What could I be missing?

Hub (v8.4)

access-list vpn_to_linium_nyc extended permit ip 10.10.8.0 255.255.252.0 192.168.10.0 255.255.255.0 
access-list vpn_to_linium_nyc extended permit ip object-group azure-networks object obj-192.168.10.0 
access-list vpn_to_linium_nyc extended permit ip object-group RP_AzureNetwork object obj-192.168.10.0 
access-list AZURE_ACCESS extended permit ip object-group LOCAL_NETWORK object-group RP_AzureNetwork 
access-list AZURE_ACCESS extended permit ip object obj-192.168.10.0 object-group RP_AzureNetwork 
access-list azure-vpn-acl extended permit ip 10.0.0.0 255.0.0.0 object-group azure-networks 
access-list azure-vpn-acl extended permit ip object obj-192.168.10.0 object-group azure-networks 

nat (outside,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static azure-networks azure-networks no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static RP_AzureNetwork RP_AzureNetwork no-proxy-arp route-lookup

Site1 (v8.2)

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 Access_to_Azure 255.255.0.0 
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 10.10.8.0 255.255.252.0 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.8.0 255.255.252.0 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 Access_to_Azure 255.255.0.0 

Do you have the command same-security-traffic permit intra-interface configured on the Hub ASA?

--

Please remember to select a correct answer and rate helpful posts

I do.  I also have it configured on the Site1 ASA as well.  

Essentially you need Spoke to Spoke VPN coverage

Cisco Firewall VPN "Hair Pinning"

Pete

Thanks Pete! In your kb, this is referencing Remote VPN connections, does this apply to Site 2 Site as well?  I've gone through and verified all of the items are as per your KB. I'm going to work through the old NAT entries to see if there's anything there that might be stopping the flow.  That's the only thing I can think of.  I've successfully configured the "Spoke to Spoke" in a lab environment using two ASA's and a Cisco router, but replicating the configuration to production has been a challenge.

Is the tunnel between site1 and HUB comming up and the issue is just with traffic between site1 and site2?

--

Please remember to select a correct answer and rate helpful posts

Yes, that is correct.  I can ping and RDP to any host on the Central/Hub ASA LAN from either Site 1 or Site 2.  From looking at all the sites for a Spoke to Spoke setup, I can't see what I might be missing other than a previous NAT config on the Central/Hub ASA that may be preventing it.  We have a ton of Static NAT mappings for hosts inside of our network for reasons unknown to me.  Can anyone confirm that my above config settings are correct at least?

would you be able to post the running config (sanitised) of the Hub ASA?

--

Please remember to select a correct answer and rate helpful posts

To sum up your steps, I need to create policy on each site that says any traffic from this site destined to another site needs to go through the VPN tunnel to the Hub ASA and do not Nat correct?

Correct, depending on the version of ASA you are running you would need to configure no nat / nat exempt or identity NAT so that the VPN traffic is not NATed.  And as you mention you would need to configure the devices to send traffic for the other sites through the VPN tunnel.

And on the Hub ASA, i need to create two policies for each site that needs to go through it to the other and no NAT?

Not exactly.  You would create one "policy" for each site but permit traffic between the remote sites in the policy...and also configure no NAT / NAT exempt or identity NAT.

To achieve twice NAT/NAT exempt on ASA 8.4, is that creating nat (outside, outside) deny source destination?  Or do I permit that and set translation as source original destination original?

You would set the translation as source original destination original.

--

Please remember to select a correct answer and rate helpful posts