Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2160
Views
0
Helpful
4
Replies

Routing between 2 IPSEC tunnels within same ASA5525

Go to solution
ahmed.fneakher
Level 1
Level 1

‎01-07-2018 05:40 AM - edited ‎03-12-2019 04:53 AM

Hi

Can you please advice how to route 2 different ACL's belongs to different IPSEC tunnels within same ASA so that ACL of firewall A can reach ACL of firewall C using existing tunnel between B and C

(firewall B can route the traffic between A and C) without using DMVPN

Labels:
Preview file
54 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to ahmed.fneakher

‎01-08-2018 02:49 AM

You do not need to have the same security parameters on the 2 tunnels.

As long as the tunnels between A - B and B - C are working you should be fine.

View solution in original post

0 Helpful

Go to solution
ahmed.fneakher
Level 1
Level 1
In response to Bogdan Nita

‎01-15-2018 12:32 AM

Hi Bogdan

Thanks for Support bro.

Tunnel worked,

- No need to match the ACL's for the 3 FW's

- routing from FW B , outside to outside 

- There was issue in ACL of FW A, We just remove and apply it again and everything worked just fine 

- Note that tunnel between A&B was IKEv1 and B&C IKEv2

 

Thanks :)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-07-2018 06:47 AM - edited ‎01-08-2018 03:53 AM

Hi Ahmed,

For ASA A and C you will need to add the respective destinations to the crypto acls.

ASA B will need to do hair pinning for the VPN traffic, so it will need to have the both destinations 2.2.2.2 and 3.3.3.3 in the crypto acl. Also on the B ASA you will need to have the same-security-traffic permit intra-interface. Depending on your config you may have to adjust routes and NAT.

Here is a config guide I was able to find:

http://www.packetu.com/2013/04/02/cisco-asa-8-4-vpn-dealing-with-internet-hairpin-traffic/

 

HTH

Bogdan

0 Helpful

Go to solution
ahmed.fneakher
Level 1
Level 1
In response to Bogdan Nita

‎01-08-2018 01:02 AM

Thanks Bogdan Nita

What i am understanding (correct me if wrong) that ACL's on 3 ASA should be matched by adding the 2.2.2.2

Also to unify the security parameters (SHA and AES) between the 3 tunnels

in this case, i have to change the tunnel between A and B from IKEv1 to match the tunnel between B and C since the last one is IKEv2

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to ahmed.fneakher

‎01-08-2018 02:49 AM

You do not need to have the same security parameters on the 2 tunnels.

As long as the tunnels between A - B and B - C are working you should be fine.

0 Helpful

Go to solution
ahmed.fneakher
Level 1
Level 1
In response to Bogdan Nita

‎01-15-2018 12:32 AM

Hi Bogdan

Thanks for Support bro.

Tunnel worked,

- No need to match the ACL's for the 3 FW's

- routing from FW B , outside to outside 

- There was issue in ACL of FW A, We just remove and apply it again and everything worked just fine 

- Note that tunnel between A&B was IKEv1 and B&C IKEv2

 

Thanks :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents