Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Question (match interesting traffic)

Dear guys

A vpn question  see below text diagram

inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside

                            ipsec vpn tunnel                          ipsec vpn tunnel

we have configured interesting traffic on ASA-2 for each other on 2 side.

we can ping asa-2 inside network from asa-3 and asa-1  but Why ASA-3 inside can not access ASA-1 inside network ?

Everyone's tags (1)
5 REPLIES

Re: VPN Question (match interesting traffic)

"Why ASA-3 inside can not access ASA-1 inside network ?"

Make sure, that you have ASA3's and ASA1's inside network segment have been incorporated (i.e. included) as source and destination pair in the crypto acl and no-nat acl in between tunnels i.e. between ASA1 to ASA3 and create only a no-nat on the ASA2 for this given source and destinations.

thanks

Rizwan Rafeek.

New Member

VPN Question (match interesting traffic)

Yes  im sure on your said

ASA1:I have add 2 acl interesing traffic to asa2 and asa3 on asa-1 which need to macth and denied traffic on nonat acl

ASA3 I have add 2 acl interesing traffic to asa1 and asa2 on asa-1 which need to macth and denied traffic on nonat acl

ASA2 I have create 2 vpn tunnel between with asa 1 and asa3  and denied source network from asa 1 and asa 3 on nonat alc and appoint interesting traffic for vpn tunnel each other .

Re: VPN Question (match interesting traffic)

Hi Yun,

You have to create a dedicated tunnel to between ASA1 and ASA3 just like a regular site to site tunnel, and you no-nat remote-peer ip addresses (i.e. ASA1's and ASA3's outside address) on ASA2.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

"

ASA1:I have add 2 acl interesing traffic to asa2 and asa3 on asa-1 which need to macth and denied traffic on nonat acl

ASA3 I have add 2 acl interesing traffic to asa1 and asa2 on asa-1 which need to macth and denied traffic on nonat acl

ASA2  I have create 2 vpn tunnel between with asa 1 and asa3  and denied  source network from asa 1 and asa 3 on nonat alc and appoint interesting  traffic for vpn tunnel each other .

"

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

You do not deny the traffic on the no-nat but rather permit.

thanks

New Member

Re: VPN Question (match interesting traffic)

Hi  rizwanr74

thank you for you suggestion , because the asa-1 and asa-3 are different isp on outside port , so the network latency more than 200ms can not running voip on them.

Re: VPN Question (match interesting traffic)

Hi Yun,

Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.

Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2

Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.

Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment.  See example below.

only an example, you change it to fit your network segment.

object-group network ASA1-inside

  network-object 192.168.100.0 255.255.255.0

object-group network ASA3-inside

  network-object 192.168.200.0 255.255.255.0

access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside

access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside

nat (outside) 0 access-list nonat-outside

Please let me know, how this coming along.

thanks

Rizwan Rafeek

1078
Views
0
Helpful
5
Replies
CreatePlease login to create content