Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Route between multiple VPNs using ASA5510 as center.

I have an ASA5510 that has multiple VPN connections, both static and dynamic. I need to allow traffic from one to cross over to another via the ASA. Here are the networks. The ASA5510's local network is the 10.10.1.0/24, and that has 3 tunnels:

VPN 1# 192.168.1.0/24 to 10.10.1.0/24 - Static

VPN 2# 192.168.2.0/24 to 10.10.1.0/24 - Static

VPN 3# 192.168.3.0/24 to 10.10.1.0/24 - Static

VPN 4# 192.168.4.0/24 to 10.10.1.0/24 - Dynamic

Obviously 192.168.1.0 can reach 10.10.1.0, but I want to go from VPN 2's 192.168.2.0/24 to the 192.168.1.0/24 network via the ASA as well. In other words people at one office can reach the central, but I want them to also reach another branch via this ASA5510.

My first thought was to create a new ACL for example:

access-list Route_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

and then have this in the no nat ACL:

access-list REMOTE_SITE extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

That did not work. I did not get an error, however no traffic passed. I tried a few other ACL combos, but nothing worked. I did add a persistent route to my laptop which was L2TP remote access in on the 192.168.4.0/24. I added "route -p 192.168.1.0/24 mask 255.255.255.0 192.168.4.5 metric 2" hoping that this would go to the ASA via my dial run VPN, and the ASA would route it to the 192.168.1.0/24 network. At this point I just have to admit I am lost on this. Any help would be appreciated.

My config:

access-list ACL_IN extended permit icmp any host 21x.xx.xx.xxx
access-list 101 extended permit ip interface Inside any
access-list REMOTE_SITE extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list REMOTE_SITE extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list REMOTE_SITE extended permit ip 10.10.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list REMOTE_SITE extended permit ip 10.10.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list Office_1 extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Office_2 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Office_3 extended permit ip 10.10.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Remote_Access extended permit ip 10.10.1.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (Inside) 0 access-list REMOTE_SITE
nat (Inside) 1 10.10.1.0 255.255.255.0
access-group ACL_IN in interface Outside

route Outside 0.0.0.0 0.0.0.0 21x.xx.xx.xxx 1
route Outside 192.168.1.0 255.255.255.0 21x.xx.xx.xxx 1
route Outside 192.168.2.0 255.255.255.0 21x.xx.xx.xxx 1
route Outside 192.168.3.0 255.255.255.0 21x.xx.xx.xxx 1

crypto map OUTSIDE_MAP 1 match address Office_1
crypto map OUTSIDE_MAP 1 set pfs group1
crypto map OUTSIDE_MAP 1 set peer 65.xxx.xxx.xxx
crypto map OUTSIDE_MAP 1 set transform-set ESP-AES-128-SHA

crypto map OUTSIDE_MAP 2 match address Office_2
crypto map OUTSIDE_MAP 2 set peer 66.xxx.xxx.xxx
crypto map OUTSIDE_MAP 2 set transform-set ESP-3DES-MD5

crypto map OUTSIDE_MAP 3 match address Office_3
crypto map OUTSIDE_MAP 3 set pfs
crypto map OUTSIDE_MAP 3 set peer 73.xxx.xxx.xx
crypto map OUTSIDE_MAP 3 set transform-set ESP-3DES-MD5

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_MAP interface Outside

crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400

tunnel-group 65.xxx.xxx.xxx type ipsec-l2l
tunnel-group 65.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
tunnel-group 66.xxx.xxx.xxx type ipsec-l2l
tunnel-group 66.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
tunnel-group 73.xxx.xxx.xx type ipsec-l2l
tunnel-group 73.xxx.xxx.xx ipsec-attributes
pre-shared-key *****

4 REPLIES

Re: Route between multiple VPNs using ASA5510 as center.

Hi Sean,

Do you have the command ''same-security-traffic permit intra-interface''?

This allows the ASA to u-turn the VPN traffic.

Then, just include the VPN#2 remote LAN in the VPN#1 interesting traffic and vice versa.

Let us know.

Federico.

Community Member

Re: Route between multiple VPNs using ASA5510 as center.

Hi Federico, thank you for applying. I did in fact have "same-security-traffic permit intra-interface" applied, it is the ACLs that have been making this difficult for me. Here is an example of what I believe I need to do:


I want to go from Site A network to Site C via Site B. My Site A ASA has this rule for the no nat policy:

access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0


And this for the crypto:

access-list Data_Site extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0


Site B has the ACLs for both Site A and C:

access-list NO_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list Office_1 extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Office_2 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Now if I am understanding this correctly, what I need to do is this:


For Site A, I add these ACLs:

access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list Data_Site extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list Data_Site extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


For Site B I add these:

access-list NO_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list Office_1 extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Office_2 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Office_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Now, on Site B's ASA, do I also need to apply these ACLs as well?


access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Office_2extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


So my full ACL for the ASA's would be this:

Site A:

access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list Data_Site extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list Data_Site extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Site B:

access-list NO_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list Office_1 extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Office_1extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Office_2 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Office_2extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Re: Route between multiple VPNs using ASA5510 as center.

You are correct on the most part... let me put it like this:

Central Site: 10.10.1.0/24

Site A: 192.168.1.0/24

Site B:192.168.2.0/24

Site A:

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list crypto permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Site B:

access-list nonat permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list crypto permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The central site should be configured accordingly.

Federico.

Community Member

Re: Route between multiple VPNs using ASA5510 as center.

Federico, thanks for replying. This was a lot of help.

I realized my problem was quite simple. I simply was not applying any rules to the third site's ASA. In going from A to C via B, I was doing ACLs on A and B's ASA only, but did not touch the final endpoint to actually allow those "unknown" networks. Doh!

749
Views
0
Helpful
4
Replies
CreatePlease to create content