01-07-2018 05:40 AM - edited 03-12-2019 04:53 AM
Hi
Can you please advice how to route 2 different ACL's belongs to different IPSEC tunnels within same ASA so that ACL of firewall A can reach ACL of firewall C using existing tunnel between B and C
(firewall B can route the traffic between A and C) without using DMVPN
Solved! Go to Solution.
01-08-2018 02:49 AM
You do not need to have the same security parameters on the 2 tunnels.
As long as the tunnels between A - B and B - C are working you should be fine.
01-15-2018 12:32 AM
Hi Bogdan
Thanks for Support bro.
Tunnel worked,
- No need to match the ACL's for the 3 FW's
- routing from FW B , outside to outside
- There was issue in ACL of FW A, We just remove and apply it again and everything worked just fine
- Note that tunnel between A&B was IKEv1 and B&C IKEv2
Thanks :)
01-07-2018 06:47 AM - edited 01-08-2018 03:53 AM
Hi Ahmed,
For ASA A and C you will need to add the respective destinations to the crypto acls.
ASA B will need to do hair pinning for the VPN traffic, so it will need to have the both destinations 2.2.2.2 and 3.3.3.3 in the crypto acl. Also on the B ASA you will need to have the same-security-traffic permit intra-interface. Depending on your config you may have to adjust routes and NAT.
Here is a config guide I was able to find:
http://www.packetu.com/2013/04/02/cisco-asa-8-4-vpn-dealing-with-internet-hairpin-traffic/
HTH
Bogdan
01-08-2018 01:02 AM
Thanks Bogdan Nita
What i am understanding (correct me if wrong) that ACL's on 3 ASA should be matched by adding the 2.2.2.2
Also to unify the security parameters (SHA and AES) between the 3 tunnels
in this case, i have to change the tunnel between A and B from IKEv1 to match the tunnel between B and C since the last one is IKEv2
01-08-2018 02:49 AM
You do not need to have the same security parameters on the 2 tunnels.
As long as the tunnels between A - B and B - C are working you should be fine.
01-15-2018 12:32 AM
Hi Bogdan
Thanks for Support bro.
Tunnel worked,
- No need to match the ACL's for the 3 FW's
- routing from FW B , outside to outside
- There was issue in ACL of FW A, We just remove and apply it again and everything worked just fine
- Note that tunnel between A&B was IKEv1 and B&C IKEv2
Thanks :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: