Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
3
Replies

VPN Multisites with cisco ASA

nmaamori84
Level 1
Level 1

‎04-04-2012 11:11 AM

Hi Everybody,

I have the HeadQuarter (HQ) and the Branch Offices (BO1, BO2, ...) and I want to establish a vpn site to site tunnel between the HQ and the BOs. this task was accomplished successfully, but i want also to permit communication between the differents BOs.

Do the differents BOs can communicate between them throught the HQ ? else, what is the solution to this scenario ?

NB: I avoid to create a full mesh vpn between the diffrents BOs, because i will have a long and complicated configuration.

Thank you for your understanding.

Best regards,

Nour-Eddine

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-04-2012 02:23 PM

Hi,

I think you simply need to configure the L2L VPN "interesting traffic" ACL in your VPN configurations to include the networks you want to communicate with eachother

Also you will need to create a NAT0 / NAT Exempt configuration on your HQ ASAs outside interface that will let all the traffic between remote sites pass unnated through the central ASA.

You will also check that you have the "same-security-traffic permit intra-interface" command configured on the HQ ASA. This will allow the ASA to send interface out on the same interface that it received the traffic. In this scenario it would basically mean traffic arriving and leaving from the outside interface.

If you need specific CLI configuration examples let me know.

Please also state your ASA firewalls software versions (since NAT configurations format depends on the software version)

- Jouni

0 Helpful

nmaamori84
Level 1
Level 1
In response to Jouni Forss

‎04-05-2012 01:31 AM

Hi,

thank you for your feedback.

I have already tested the "interesting traffic" in the crypto map and the NAT Exempt. but I didnt test the "same-security-traffic permit intra-interface" configuration, this may be the reason ?

Regards,

Nour-Eddine

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to nmaamori84

‎04-05-2012 02:57 AM

Hi,

Theres two of the "same security-traffic" commands.

They are:

same-security-traffic permit inter-interface

  • The above command enables communication between two ASA interfaces of the same security level.

same-security-traffic permit intra-interface

  • The above command enables communication between two hosts on the same interface. Basicly this lets the traffic/connection arrive on one interface and get routed back to the destination from it.
  • This applies to your situation with the multiple VPN sites as they are only using the outside interface of the ASA. Connections are arriving on the interface and also leaving from it.

Please rate if you found the information helpfull.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents