Solved

Configuring access between two Site to Site VPN's with a Cisco ASA Firewall

Posted on 2011-09-08
24
440 Views
Last Modified: 2012-05-12
I need help configuring access in a Cisco ASA Firewall between two existing Site to Site VPN's.  The VPNs connect from an ASA in each remote office to the ASA in a Data Center.  These VPN's work fine now for access to the servers in the data center.

I need to be able to access servers located at Site B from workstations at Site A.
What do I need to add to the existing configurations to allow traffic to flow from
10.20.11.0/24 subnet to the 10.50.10.0/24 subnet and back?

From the Data Center I can ping to both Site A and Site B successfully and I can ping from both Site A and Site B to the Data Center successfully.  When completed I hope to be able to ping directly from Site A to Site B.

Current Config info:
_____________________________________________________________________________________
The Data Center Cisco ASA (IOS 8.2(1)) which is endpoint for both Site to Site VPN's is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.10.254 255.255.255.0

**** Site to Site VPN to Site A:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list 120 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
crypto map xxxx 1 match address 120
crypto map xxxx 1 set peer A.B.C.D
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0

**** Site to Site VPN to Site B:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 130 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 2 match address 130
crypto map xxxx 2 set peer D.C.B.A
crypto map xxxx 2 set transform-set xxxx
(Next 3 lines listed again for clarity)
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
_____________________________________________________________________________________

The Cisco ASA (IOS 8.2(1)) at Site A: is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.11.254 255.255.255.0

access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 1 match address 110
crypto map xxxx 1 set peer W.X.Y.Z
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
____________________________________________________________________________________

I don't have direct access to the ASA in Site B: but I can have changes made to it.

0
Comment
Question by:eAtlanta
  • 10
  • 5
  • 3
  • +3
24 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36507436
So, you basically have tunnels setup between both site A & B back to the datacenter(Headend ASA)but not between both remote locations directly? And you want to achieve encrypted traffic between remote locations without having to traverse via the headend or datacenter ASA?
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36507445
Secondly, are all ASA's running the same verion IOS including the datacenter device IOS 8.2(1)?
0
 

Author Comment

by:eAtlanta
ID: 36507457
I think they are all running the same version of IOS.  There is a tunnel between Site A and the Datacenter and the Datacenter to Site B.  There is not a tunnel directly between Site A and Site B.  I want the traffic to flow from Site A thru the tunnel to the Datacenter and then from the Datacenter thru the other tunnel over to Site B and back.  Thanks for your help on this!!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:SuperTaco
ID: 36507520
Is there an issue with setting up a VPN form A to B?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36507532
site A router needs to have a route statement for LAN at Site B

Site B router needs a route statement for LAN at Site A

datacenter router will handle the rest
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 36507536
I don't get it yet.

You have two existing site-to-site VPNs.  That implies at least 3, if not 4 sites.  So, sites Z,Y,X and maybe W.
If not sites then at least subnets.

Then you have sites A and B.  One might jump to the conclusion that A and B are Z and Y.  But, what about X and maybe W?

We could help better if the terminology were clearer.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36507556
The best way for us to help you fast is for you to post a sanitized config of your Datacenter ASA. If not, then you would just need to configure the datacenter ASA to allow the traffic between both tunnels of site A&B to pass-thru the datacenter ASA since we dont know if any traffic restrictions are needed and or warranted. Hope this helps.
0
 

Author Comment

by:eAtlanta
ID: 36507649
Thanks for the responses.  I would prefer not to set up a VPN form Site A to Site B. There are 3 sites.  Office Site A, Office Site B, and DataCenter Site.  There already are tunnels between the DataCenter Site and both remote sites.  Because these are Tunnels and already encrypted, we want all traffice to pass from Site A over to DataCenter Site and then on over to Site B and back of course.  There has to be some configuration to tell a packet that Site A sends across the tunnel over to the DataCenter Site - to continue on to Site B if that is where the packet's destination is.  

I've given you sanitized configs with the relevant lines for the DataCenter and for Site A above.  The acutal traffic that will be sent is Windows workstations at Site A accessing database info that resides on servers in Site B.  
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 36507686
I hope the Cisco devices will do that for you.  Honestly, I don't know how to do that.
Here's why:

You set up a VPN from Site A to the Data Center.
You set up a VPN from Site B to the Data Center.
You launch a packet from Site A destined for Site B.
Let's just say there's a separate Gateway at each site .. not the VPN device.
So, you set up a route in the Gateway at Site A to send packets destined for Site B to the VPN device.
Either:
- the VPN device gets the packets destined for Site B and doesn't know what to do with them because that's not the terminating subnet for the VPN ... so it drops those packets.
- The VPN device knows what to do with packets destined for Site B and puts them on the VPN somehow.... I'm not sure this works but let's just say it does.
- The terminating VPN device at the Data Center gets packets destined for Site B.  One would hope that it would know to forward them to the other tunnel or to another VPN device on the Site A subnet.

The return path will go through the local site Gateway device.  If it has stateful packet inspection on LAN packets then it may not recognize the state because packets arriving from the VPN don't go through the Gateway at all.  This is likely the case you have now and must have dealt with it.

I think the best bet is to set up a VPN between Site A and Site B.  You have the equipment and the connections already.  That's much easier and cleaner.  It's exactly what I'm doing with 3 sites - each site has one VPN device with 2 VPNs set up so that all sites are connected 1-to-1.
0
 

Author Comment

by:eAtlanta
ID: 36507713
I've not done this before either but I have several customers who want to do this.  I'm pretty sure it is possible.  I played around with hairpining but I can't get it to work and am not sure that bandaid like hairpining is the best solution.  I think to do it, I have to set up a way so that when the packet reaches the datacenter ASA it doesn't get NAT'ed but I'm not real knowledable on how to program NAT/NoNat that way.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36507790
if you tell site A to route site B network to datacenter, the datacenter will know where to send the packets.

if you tell site B to route site A network to datacenter, the data center will know where to send the packets.

if you want a backup route for each site set up a vpn between site A and Site B and give the route rule a lesser priority.
0
 

Author Comment

by:eAtlanta
ID: 36507831
I've included a few more lines of config for both Firewalls.  We will be adding more Sites in the future just like Site A so doing two additional VPNs for each new site will get unwieldy.  There has got to be a way to just tell the Datacenter ASA to forward on packets.  Hasn't anyone solved this at the ASA level?

The Data Center Cisco ASA (IOS 8.2(1)) which is endpoint for both Site to Site VPN's is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.10.254 255.255.255.0

**** Site to Site VPN to Site A:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list 120 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
crypto map xxxx 1 match address 120
crypto map xxxx 1 set peer A.B.C.D
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0

**** Site to Site VPN to Site B:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 130 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 2 match address 130
crypto map xxxx 2 set peer D.C.B.A
crypto map xxxx 2 set transform-set xxxx
(Next 3 lines listed again for clarity)
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
_____________________________________________________________________________________

The Cisco ASA (IOS 8.2(1)) at Site A: is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.11.254 255.255.255.0

access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 1 match address 110
crypto map xxxx 1 set peer W.X.Y.Z
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
____________________________________________________________________________________

I don't have direct access to the ASA in Site B: but I can have changes made to it.
0
 

Author Comment

by:eAtlanta
ID: 36507861
I have played around with adding some or all of these lines in the DataCenter ASA but can't get it to work without stopping traffic from flowing thru the tunnels.  Does this make sense?

same-security-traffic permit intra-interface
access-list inside_access extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list inside_access extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
nat-control
static (inside,inside) 10.50.10.0 10.50.10.0 netmask 255.255.255.0
static (inside,inside) 10.20.11.0 10.20.11.0 netmask 255.255.255.0
global (inside) 1 interface

Seems like a couple of route statements might help here also but can't figure out exactly where to route traffic to since traffic has to go across tunnels and there is no explicit inside address for a tunnel that would be it's "default gateway".  Something like these or maybe not - I'm just guessing here:

route inside 10.50.10.0 255.255.255.0 10.10.105.254 1
route inside 10.20.11.0 255.255.255.0 10.20.11.254 1
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36507962
http://www.dslreports.com/faq/10380

looks like the answer is using 'tunnel0' as the gateway for the route
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508384
Can you post the routes and outside access lists from all of your ASAs?

0
 

Author Comment

by:eAtlanta
ID: 36508402
There is only one route statement in each ASA currently and it is listed above and points to the Cisco Router which is the default gateway outside IP adress provided by the ISP in each case.  The outside access lists for both ASA's are the same and they are:

access-list outside_access extended permit ip any any
access-list outside_access extended permit icmp any any
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508419
Access-lists on both ASAs or all 3 ASAs?
0
 

Author Comment

by:eAtlanta
ID: 36508435
I don't have the config for the ASA at Site B as i don't control it.  I do have the ability to have changes made to it.  So the Access Lists on both ASA's for Site A and the DataCenter for both inside and outside are the same:

access-list outside_access extended permit ip any any
access-list outside_access extended permit icmp any any
access-list inside_access extended permit ip any any
access-list inside_access extended permit icmp any any
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 36508441
Try addind these lines on Data Centre ASA:

access-list 120 extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0


access-list 130 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0



0
 

Author Closing Comment

by:eAtlanta
ID: 36508581
I added those lines, which now that I look were obviously missing.  Still no Joy in Mudville.  Then I try adding: same-security-traffic permit intra-interface   and Mighty Casey hits a grand slam!  There will be Joy in Mudville tonight after all.  (Did I spell Mudville right?)  

Anyway thanks a ton for pointing me to it!  You get all of the points.  I guess this is simple Hairpining without all of the extra crap I tried above.  I hope this helps others.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508607
But you had this command already configured, no?

same-security-traffic permit intra-interface

I saw it in one of your posts
0
 

Author Comment

by:eAtlanta
ID: 36508625
I was trying to get that command to work, but without your missing access lists, it wasn't enough.  I've put it in and taken it out of the config several times today.  It needs to be in there though as I tried it without it, and it does not work without it.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508651
Ah, ok, I thought it was still there :)

0
 

Author Comment

by:eAtlanta
ID: 36508656
I didn't end up using any of these commands with it though:

access-list inside_access extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list inside_access extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
nat-control
static (inside,inside) 10.50.10.0 10.50.10.0 netmask 255.255.255.0
static (inside,inside) 10.20.11.0 10.20.11.0 netmask 255.255.255.0
global (inside) 1 interface
route inside 10.50.10.0 255.255.255.0 10.10.105.254 1
route inside 10.20.11.0 255.255.255.0 10.20.11.254 1
 
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5506W VPN Clients not seeing local network 12 68
Network over eigrp 100 topology ? 3 53
SSL-VPN 1 44
Port forwarding on ubuntu 8 23
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question