Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
0
Helpful
2
Replies

LAN to LAN VPN routing on an ASA5500

bsisco
Level 1
Level 1

‎01-19-2012 04:10 PM

Need a little direction here.

Our office currently connects to two remote offices via IPSEC LAN-to-LAN tunnels.

Tunnel 1 (Office 1 to Datacenter): 10.2.0.0/16 (remote office 1) <-> 10.1.128.0/19 (datacenter)

Tunnel 2 (Office 2 to Datacenter): 10.1.60.0/24 (remote office 2) <-> 10.1.128.0/19 (datacenter)

We've recently added a tunnel to a third office and wish to allow traffic from Tunnel 1's office and Tunnel 2's office as well as traffic from the datacenter to have access to Tunnel 3's office.  An ASA 5510 is terminating all three of these tunnels in the datacenter.   Is it possible to accomplish this using only the ASA by adding the following traffic selections to tunnels 1 and 2 (to the datacenter) and adding Tunnel 3?

Tunnel 1 (Office 1 to Datacenter): 10.2.0.0/16 (remote office 1) <-> 10.15.0.0/16 (remote office 3)

Tunnel 2 (Office 2 to Datacenter): 10.1.60.0.24 (remote office 2) <-> 10.15.0.0/16 (remote office 3)

Tunnel 3 (Office 3 to Datacenter): 10.15.0.0/16 (remote office 3) <-> 10.1.128.0/19 (datacenter), 10.15.0.0/16 (remote office 3) <-> 10.2.0.0/16 (remote office 2), 10.15.0.0/16 (remote office 3) <-> 10.1.60.0/24 (remote office 1)

In essence allowing both office 1 and 2 to reach office 3 bi-directionally through the datacenter's ASA.  It's not currently possible to terminate tunnels between offices 1 and 2 and office 3 directly.

Other useful information:

  • Office 2 uses a Watchguard and adding the additional traffic selection to the existing tunnel definition results in the original tunnel re-establishing but I never see the tunnel allowing traffic to office 3 complete phase 2 (QM FSM Error).
  • I have no control (directly) over the configuration of the device in office 3 (YET).

Thanks!

Labels:
0 Helpful
2 Replies 2

manish arora
Level 6
Level 6

‎01-19-2012 04:49 PM

Hi Bsisco,

Can you please post the VPN-interesting traffic from Firewall Datacenter and Office 2, get interesting traffic definations from Office 3 also ?

Also, you will need the following command on Datacenter Firewall to allow Hairpinning Traffic :- 

same-security-traffic permit intra-interface

Good Link to Read to understand concepts:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml#diag

Manish

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-19-2012 05:21 PM

Hello Bsisco,

So you are going to build 3 different tunnels on the remote site number 3, then you would like those 3 other branchs to be able to talk to each other via the remote site number 3 right?

Yes, that is possible. You will need to :

1-add into the VPN crypto traffic on the remote site number 3 the communication between all the other sites with each other and the backwards traffic

Example:

Site-to-site Remote office 1 Remote office3

On remote office 1

access-list vpn permit ip remote_office1 remoteoffice3

access-list vpn permit ip remote_office1 remoteoffice2

access-list vpn permit ip remote_office1 datacenter

On  Remote office 3 (VPN HQ) --Tunnel group with remote office 1 crypto ACLs:

access-list vpn1 permit ip remote_office3  remote_office1

access-list vpn1 permit ip remote_office2 remote_office1

access-list vpn1 permit ip datacenter remote_office1

2-same-security-traffic permit inter-interface

Hope this helps.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents