Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to pass traffic from one S2S VPN site through ASA to another S2S VPN site?

I have a need for hosts on separate VPN networks connected to my corp ASA to communicate with each other.  Example: Host A at site 1 needs to communicate with Host B at site 2.  Both sites 1 & 2 are connected via S2S VPN.  I would like to get traffic from either site to flow through the ASA to the other site.  Where should I start my configuration?  NAT? ACL? 

 

I can ping each host from the corp network but cannot ping from one site to the other.  I have configured same-security-traffic permit intra-interface and added both NAT and ACL rules to allow/permit Site 1 to contact Site 2.  When I do a packet trace through ASDM, the packets are allowed to pass. I've read different that say to not NAT Is there something on the other end of the VPN I need to do?  do the NAT and ACL rules need to mirror? Just in case, one site is an MS Azure VM instance and the other is a 3rd party VM instance.  

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

On the HubASA, do I configure

On the HubASA, do I configure a new crypto map that selects traffic from Site1 to Site2 and protect the traffic and set the peer to Site2 public IP or do I just add this traffic selection to the existing crypto map for the existing tunnel between HubASA and Site2? 

Just add this traffic to the existing crypto map.

remember that this needs to be added on the three routers ( the two hubs and the one spoke).

Site1

access-list CRYPTO permit ip <Site1 LAN IP> <Site1 subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO permit ip <Site1 LAN IP> <Site1 subnet> <Site3 LAN IP> Site3 subnet>

access-list CRYPTO permit ip <Site1 LAN IP> <Site1 subnet> <HUB LAN IP> HUB subnet>

Site2

access-list CRYPTO permit ip <Site2 LAN IP> <Site2 subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO permit ip <Site2 LAN IP> <Site2 subnet> <Site3 LAN IP> Site3 subnet>

access-list CRYPTO permit ip <Site2 LAN IP> <Site2 subnet> <HUB LAN IP> HUB subnet>

Site3

access-list CRYPTO permit ip <Site3 LAN IP> <Site3 subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO permit ip <Site3 LAN IP> <Site3 subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO permit ip <Site3 LAN IP> <Site3 subnet> <HUB LAN IP> HUB subnet>

HUB

access-list CRYPTO_1 permit ip <HUB LAN IP> <HUB subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO_1 permit ip <Site2 LAN IP> <Site2 subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO_1 permit ip <Site3 LAN IP> <Site3 subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO_2 permit ip <HUB LAN IP> <HUB subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO_2 permit ip <Site1 LAN IP> <Site1 subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO_2 permit ip <Site3 LAN IP> <Site3 subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO_3 permit ip <HUB LAN IP> <HUB subnet> <Site3 LAN IP> Site3 subnet>

access-list CRYPTO_3 permit ip <Site1 LAN IP> <Site1 subnet> <Site3 LAN IP> Site3 subnet>

access-list CRYPTO_3 permit ip <Site2 LAN IP> <Site2 subnet> <Site3 LAN IP> Site3 subnet>

Each of these ACLs is assigned to their respective crypto maps.  CRYPTO_1 is assigned to site1's crypto map, CRYPTO_2 is assigned to site2's crypto map...etc.

I hope this is clear

In addition to this you will need to configure identity NAT / NAT exempt at both the HUB and the spoke sites.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
14 REPLIES
VIP Green

Do you have split tunneling

Do you have split tunneling configured at the remote sites? If so you would need to add remote-site1 and remote-site2 subnets into the crypto-maps for eachother...as well as on the Hub ASA.  Also the NAT needs to be done on all 3 locations.

so,

1. site1 should have site2's subnet in its crypto map destination

2. site2 should have site1's subnet in its crypto map destination

3. ASA hub should have site2 subnet in its site1 crypto map source

4. ASA hug should have site1 subnet in its site2 crypto map source

5. twice NAT/NAT exempt should be configured on all devices

6. If the remote devices do not use  default route then you need to manually add a route at each location pointing out the outside interface.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius,Thank you for your

Hi Marius,

Thank you for your response.  As for split-tunneling, we do have it configured on the "Hub" ASA.  The two remote sites are with 3rd party providers, Site1 being MS Azure VM and Site2 being a hosted VM by a 3rd party.  I also, need to throw in a Site3 which is one of our branch offices, also using an ASA, needs to access Site1.  Both Central site and Site3 use default routing.  I will have to check with Site1 and Site2.  

To sum up your steps, I need to create policy on each site that says any traffic from this site destined to another site needs to go through the VPN tunnel to the Hub ASA and do not Nat correct?  And on the Hub ASA, i need to create two policies for each site that needs to go through it to the other and no NAT?  

To achieve twice NAT/NAT exempt on ASA 8.4, is that creating nat (outside, outside) deny source destination?  Or do I permit that and set translation as source original destination original?

New Member

Hi, (outside,outside) nat

Hi,

 

(outside,outside) nat should permited.

make sure in the crypto ACLs you add (host a to host b), miror on remote site. and on site b crypto ACL( host b and host a) mirror on the remote peer of this site.

 

-Altaf

 

 

New Member

To update on everyone on this

To update on everyone on this.  I've got this working in a lab environment where i'm using two ASA 5505's running 8.4(7) base as HubASA1 and Site1, one Cisco 1721 running IOS 12.4 as Site2 and one Cisco 2611XM running IOS 12.4 as the "internet router".  I'm able to ping and RDP a host in Site2 from a host in Site1, and vice versa.  The problem I'm having now is replicating this to a running production environment that already has other config setup.  

The production environment consists of an ASA 5510 running 8.4(7) base as the HubASA, one Cisco 5505 running 8.2, as Site1, Microsoft Azure VM as Site2 and a Windows VM being hosted by at 3rd party as Site3.  All three sites have an S2S IPSec VPN tunnel to the HubASA.

The requirements are:

1. Site1 needs access to the Site2 (Azure VM), Azure VM needs access to the Site1 network.

2. Site2 (Azure VM) needs access to VMs on Site3 and the reverse.

Proposed Config (This is where I would like advice or correction)

HubASA, Site1 and Site2 are all configured with a default route.  No other routing is configured.

For Req#1-

On the HubASA, do I configure a new crypto map that selects traffic from Site1 to Site2 and protect the traffic and set the peer to Site2 public IP or do I just add this traffic selection to the existing crypto map for the existing tunnel between HubASA and Site2? 

HubASA to be configured with IdentityNAT with nat (outside,outside) source Site1 destination Site2 no-proxy-arp route-lookup (reverse for Site2 to Site1 traffic)

Site1 ASA to be configure with a crypto map that selects traffic destined to Site 2, to protect it and permit it through the tunnel with the HubASA.

For Req#2 -

HubASA to be configured similar to above but for Site2 to Site3 traffic

Site3 has the access-lists defined below to allow traffic from the Azure VM (10.4.0.0/16, 172.16.0.0/16) network to the 3rd party VM network.

ip access-list extended linium-net

 permit ip 10.1.10.0 0.0.0.255 10.4.0.0 0.0.255.255

 permit ip 10.1.12.0 0.0.0.255 10.4.0.0 0.0.255.255

 permit ip 10.2.13.0 0.0.0.255 10.4.0.0 0.0.255.255

 permit ip 10.2.14.0 0.0.0.255 10.4.0.0 0.0.255.255

 permit ip 10.1.10.0 0.0.0.255 172.16.0.0 0.0.15.255

 permit ip 10.1.12.0 0.0.0.255 172.16.0.0 0.0.15.255

 permit ip 10.2.13.0 0.0.0.255 172.16.0.0 0.0.15.255

 permit ip 10.2.14.0 0.0.0.255 172.16.0.0 0.0.15.255

 

What could I be missing that is not allowing traffic from any site through the HubASA to another site?  

VIP Green

On the HubASA, do I configure

On the HubASA, do I configure a new crypto map that selects traffic from Site1 to Site2 and protect the traffic and set the peer to Site2 public IP or do I just add this traffic selection to the existing crypto map for the existing tunnel between HubASA and Site2? 

Just add this traffic to the existing crypto map.

remember that this needs to be added on the three routers ( the two hubs and the one spoke).

Site1

access-list CRYPTO permit ip <Site1 LAN IP> <Site1 subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO permit ip <Site1 LAN IP> <Site1 subnet> <Site3 LAN IP> Site3 subnet>

access-list CRYPTO permit ip <Site1 LAN IP> <Site1 subnet> <HUB LAN IP> HUB subnet>

Site2

access-list CRYPTO permit ip <Site2 LAN IP> <Site2 subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO permit ip <Site2 LAN IP> <Site2 subnet> <Site3 LAN IP> Site3 subnet>

access-list CRYPTO permit ip <Site2 LAN IP> <Site2 subnet> <HUB LAN IP> HUB subnet>

Site3

access-list CRYPTO permit ip <Site3 LAN IP> <Site3 subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO permit ip <Site3 LAN IP> <Site3 subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO permit ip <Site3 LAN IP> <Site3 subnet> <HUB LAN IP> HUB subnet>

HUB

access-list CRYPTO_1 permit ip <HUB LAN IP> <HUB subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO_1 permit ip <Site2 LAN IP> <Site2 subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO_1 permit ip <Site3 LAN IP> <Site3 subnet> <Site1 LAN IP> Site1 subnet>

access-list CRYPTO_2 permit ip <HUB LAN IP> <HUB subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO_2 permit ip <Site1 LAN IP> <Site1 subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO_2 permit ip <Site3 LAN IP> <Site3 subnet> <Site2 LAN IP> Site2 subnet>

access-list CRYPTO_3 permit ip <HUB LAN IP> <HUB subnet> <Site3 LAN IP> Site3 subnet>

access-list CRYPTO_3 permit ip <Site1 LAN IP> <Site1 subnet> <Site3 LAN IP> Site3 subnet>

access-list CRYPTO_3 permit ip <Site2 LAN IP> <Site2 subnet> <Site3 LAN IP> Site3 subnet>

Each of these ACLs is assigned to their respective crypto maps.  CRYPTO_1 is assigned to site1's crypto map, CRYPTO_2 is assigned to site2's crypto map...etc.

I hope this is clear

In addition to this you will need to configure identity NAT / NAT exempt at both the HUB and the spoke sites.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Ok, a quick update.  I am

Ok, a quick update.  I am implementing the above suggestions in our production environment and I've configured the Hub site and Site 1 as below.  When I run the packet tracer in ASDM, the ACL and NAT rules fail and I am not able to RDP to the VM in Site 2 from Site 1.  What could I be missing?

 

Hub (v8.4)

access-list vpn_to_linium_nyc extended permit ip 10.10.8.0 255.255.252.0 192.168.10.0 255.255.255.0 
access-list vpn_to_linium_nyc extended permit ip object-group azure-networks object obj-192.168.10.0 
access-list vpn_to_linium_nyc extended permit ip object-group RP_AzureNetwork object obj-192.168.10.0 
access-list AZURE_ACCESS extended permit ip object-group LOCAL_NETWORK object-group RP_AzureNetwork 
access-list AZURE_ACCESS extended permit ip object obj-192.168.10.0 object-group RP_AzureNetwork 
access-list azure-vpn-acl extended permit ip 10.0.0.0 255.0.0.0 object-group azure-networks 
access-list azure-vpn-acl extended permit ip object obj-192.168.10.0 object-group azure-networks 

nat (outside,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static azure-networks azure-networks no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static RP_AzureNetwork RP_AzureNetwork no-proxy-arp route-lookup


Site1 (v8.2)

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 Access_to_Azure 255.255.0.0 
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 10.10.8.0 255.255.252.0 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.8.0 255.255.252.0 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 Access_to_Azure 255.255.0.0 

 

 

VIP Green

Do you have the command same

Do you have the command same-security-traffic permit intra-interface configured on the Hub ASA?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

I do.  I also have it

I do.  I also have it configured on the Site1 ASA as well.  

New Member

Essentially you need Spoke to

Essentially you need Spoke to Spoke VPN coverage

Cisco Firewall VPN "Hair Pinning"

Pete

New Member

Thanks Pete! In your kb, this

Thanks Pete! In your kb, this is referencing Remote VPN connections, does this apply to Site 2 Site as well?  I've gone through and verified all of the items are as per your KB. I'm going to work through the old NAT entries to see if there's anything there that might be stopping the flow.  That's the only thing I can think of.  I've successfully configured the "Spoke to Spoke" in a lab environment using two ASA's and a Cisco router, but replicating the configuration to production has been a challenge.

VIP Green

Is the tunnel between site1

Is the tunnel between site1 and HUB comming up and the issue is just with traffic between site1 and site2?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Yes, that is correct.  I can

Yes, that is correct.  I can ping and RDP to any host on the Central/Hub ASA LAN from either Site 1 or Site 2.  From looking at all the sites for a Spoke to Spoke setup, I can't see what I might be missing other than a previous NAT config on the Central/Hub ASA that may be preventing it.  We have a ton of Static NAT mappings for hosts inside of our network for reasons unknown to me.  Can anyone confirm that my above config settings are correct at least?

VIP Green

would you be able to post the

would you be able to post the running config (sanitised) of the Hub ASA?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
VIP Green

To sum up your steps, I need

To sum up your steps, I need to create policy on each site that says any traffic from this site destined to another site needs to go through the VPN tunnel to the Hub ASA and do not Nat correct?

Correct, depending on the version of ASA you are running you would need to configure no nat / nat exempt or identity NAT so that the VPN traffic is not NATed.  And as you mention you would need to configure the devices to send traffic for the other sites through the VPN tunnel.

And on the Hub ASA, i need to create two policies for each site that needs to go through it to the other and no NAT?

Not exactly.  You would create one "policy" for each site but permit traffic between the remote sites in the policy...and also configure no NAT / NAT exempt or identity NAT.

To achieve twice NAT/NAT exempt on ASA 8.4, is that creating nat (outside, outside) deny source destination?  Or do I permit that and set translation as source original destination original?

You would set the translation as source original destination original.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
1187
Views
0
Helpful
14
Replies
CreatePlease to create content