Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 516
  • Last Modified:

Alternate VPN connection

I have successfully setup VPN's between 3 networks using Cisco ASA 5505's.

A= 192.168.101.x
B= 192.168.105.x
C= 192.168.110.x

A is connected to B and C via VPN's.  B is also connected to C via a VPN. 

However there are times the path between A and B gets taken out due to issues beyond our control. 

Can someone tell me how to route the traffic from A to B via C?

I will need the command line parameters if you know them.

Thanks
0
Bob
Asked:
Bob
  • 3
  • 2
1 Solution
 
joelvpCommented:
did you already try to add the B subnet on the encryption domain of the vpn connection between A and C? Ie add the subnet to the access-list referred to in the crypto-map.  If you paste the config, I can clearly point out what you should need to change.
0
 
BobAuthor Commented:
Sorry for the delay.  Things are hopping around here.  

Here is the configuration sanitized for your protection.


ASA Version 7.2(2)
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.120.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.x.x.x 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
!same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside extended permit ip any any
access-list split standard permit 192.168.120.0 255.255.255.0
access-list split standard permit 192.168.105.0 255.255.255.0
access-list split standard permit 192.168.110.0 255.255.255.0
access-list split standard permit 192.168.115.0 255.255.255.0
access-list split standard permit 172.16.120.0 255.255.255.0
access-list abc extended permit ip 192.168.120.0 255.255.255.0 192.168.105.0 255.255.255.0
access-list abc extended permit ip 192.168.120.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list abc extended permit ip 192.168.120.0 255.255.255.0 192.168.115.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.120.0 255.255.255.0 192.168.105.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.120.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list outside_105_cryptomap extended permit ip 192.168.120.0 255.255.255.0 192.168.105.0 255.255.255.0
access-list outside_110_cryptomap extended permit ip 192.168.120.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list outside_in extended permit ip any any
access-list outside_115_cryptomap extended permit ip 192.168.120.0 255.255.255.0 192.168.115.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list abc
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 74.7.23.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy abcNetwork internal
group-policy abcNetwork attributes
 dns-server value 151.164.11.201 151.164.1.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value abcNetwork
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 1 set reverse-route
crypto map outside_map 105 match address outside_105_cryptomap
crypto map outside_map 105 set pfs group1
crypto map outside_map 105 set peer 209.x.x.x
crypto map outside_map 105 set transform-set ESP-3DES-SHA
crypto map outside_map 110 match address outside_110_cryptomap
crypto map outside_map 110 set pfs group1
crypto map outside_map 110 set peer 208.x.x.x
crypto map outside_map 110 set transform-set ESP-3DES-SHA
crypto map outside_map 115 match address outside_115_cryptomap
crypto map outside_map 115 set pfs group1
crypto map outside_map 115 set peer 67.x.x.x
crypto map outside_map 115 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 20 retry 2
tunnel-group abcNetwork type ipsec-ra
tunnel-group abcNetwork general-attributes
 address-pool VPNAccess
 default-group-policy abcNetwork
tunnel-group abcNetwork ipsec-attributes
 pre-shared-key *
tunnel-group 209.x.x.x type ipsec-l2l
tunnel-group 209.x.x.x ipsec-attributes
 pre-shared-key *
telnet timeout 30
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.120.220-192.168.120.250 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd wins 192.168.120.10 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
0
 
joelvpCommented:
so just add the subnet of B to the crypto-map entry for the connection to C, so:

access-list outside_110_cryptomap extended permit ip 192.168.120.0 255.255.255.0 192.168.105.0 255.255.255.0

Do same on the other side. Make sure however that the preferred connection to B has the lowest crypto sequence number.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
BobAuthor Commented:
Where is the sequence #?  Where am I missing it?
0
 
joelvpCommented:
With crypto map sequence number I mean the number which comes after "crypto map outside_map", examples:
Sequence number 150 in "crypto map outside_map 105 set pfs group1"
or
Sequence number 115 in "crypto map outside_map 115 set peer 67.x.x.x"

0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now