Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LAN to LAN VPN routing on an ASA5500

Need a little direction here.

Our office currently connects to two remote offices via IPSEC LAN-to-LAN tunnels.

Tunnel 1 (Office 1 to Datacenter): 10.2.0.0/16 (remote office 1) <-> 10.1.128.0/19 (datacenter)

Tunnel 2 (Office 2 to Datacenter): 10.1.60.0/24 (remote office 2) <-> 10.1.128.0/19 (datacenter)

We've recently added a tunnel to a third office and wish to allow traffic from Tunnel 1's office and Tunnel 2's office as well as traffic from the datacenter to have access to Tunnel 3's office.  An ASA 5510 is terminating all three of these tunnels in the datacenter.   Is it possible to accomplish this using only the ASA by adding the following traffic selections to tunnels 1 and 2 (to the datacenter) and adding Tunnel 3?

Tunnel 1 (Office 1 to Datacenter): 10.2.0.0/16 (remote office 1) <-> 10.15.0.0/16 (remote office 3)

Tunnel 2 (Office 2 to Datacenter): 10.1.60.0.24 (remote office 2) <-> 10.15.0.0/16 (remote office 3)

Tunnel 3 (Office 3 to Datacenter): 10.15.0.0/16 (remote office 3) <-> 10.1.128.0/19 (datacenter), 10.15.0.0/16 (remote office 3) <-> 10.2.0.0/16 (remote office 2), 10.15.0.0/16 (remote office 3) <-> 10.1.60.0/24 (remote office 1)

In essence allowing both office 1 and 2 to reach office 3 bi-directionally through the datacenter's ASA.  It's not currently possible to terminate tunnels between offices 1 and 2 and office 3 directly.

Other useful information:

  • Office 2 uses a Watchguard and adding the additional traffic selection to the existing tunnel definition results in the original tunnel re-establishing but I never see the tunnel allowing traffic to office 3 complete phase 2 (QM FSM Error).
  • I have no control (directly) over the configuration of the device in office 3 (YET).

Thanks!

  • VPN
2 REPLIES

LAN to LAN VPN routing on an ASA5500

Hi Bsisco,

Can you please post the VPN-interesting traffic from Firewall Datacenter and Office 2, get interesting traffic definations from Office 3 also ?

Also, you will need the following command on Datacenter Firewall to allow Hairpinning Traffic :-

same-security-traffic permit intra-interface

Good Link to Read to understand concepts:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml#diag

Manish

LAN to LAN VPN routing on an ASA5500

Hello Bsisco,

So you are going to build 3 different tunnels on the remote site number 3, then you would like those 3 other branchs to be able to talk to each other via the remote site number 3 right?

Yes, that is possible. You will need to :

1-add into the VPN crypto traffic on the remote site number 3 the communication between all the other sites with each other and the backwards traffic

Example:

Site-to-site Remote office 1 Remote office3

On remote office 1

access-list vpn permit ip remote_office1 remoteoffice3

access-list vpn permit ip remote_office1 remoteoffice2

access-list vpn permit ip remote_office1 datacenter

On  Remote office 3 (VPN HQ) --Tunnel group with remote office 1 crypto ACLs:

access-list vpn1 permit ip remote_office3  remote_office1

access-list vpn1 permit ip remote_office2 remote_office1

access-list vpn1 permit ip datacenter remote_office1

2-same-security-traffic permit inter-interface

Hope this helps.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
276
Views
0
Helpful
2
Replies