Solved

Configuring access between two Site to Site VPN's with a Cisco ASA Firewall

Posted on 2011-09-08
24
434 Views
Last Modified: 2012-05-12
I need help configuring access in a Cisco ASA Firewall between two existing Site to Site VPN's.  The VPNs connect from an ASA in each remote office to the ASA in a Data Center.  These VPN's work fine now for access to the servers in the data center.

I need to be able to access servers located at Site B from workstations at Site A.
What do I need to add to the existing configurations to allow traffic to flow from
10.20.11.0/24 subnet to the 10.50.10.0/24 subnet and back?

From the Data Center I can ping to both Site A and Site B successfully and I can ping from both Site A and Site B to the Data Center successfully.  When completed I hope to be able to ping directly from Site A to Site B.

Current Config info:
_____________________________________________________________________________________
The Data Center Cisco ASA (IOS 8.2(1)) which is endpoint for both Site to Site VPN's is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.10.254 255.255.255.0

**** Site to Site VPN to Site A:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list 120 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
crypto map xxxx 1 match address 120
crypto map xxxx 1 set peer A.B.C.D
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0

**** Site to Site VPN to Site B:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 130 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 2 match address 130
crypto map xxxx 2 set peer D.C.B.A
crypto map xxxx 2 set transform-set xxxx
(Next 3 lines listed again for clarity)
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
_____________________________________________________________________________________

The Cisco ASA (IOS 8.2(1)) at Site A: is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.11.254 255.255.255.0

access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 1 match address 110
crypto map xxxx 1 set peer W.X.Y.Z
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
____________________________________________________________________________________

I don't have direct access to the ASA in Site B: but I can have changes made to it.

0
Comment
Question by:eAtlanta
  • 10
  • 5
  • 3
  • +3
24 Comments
 
LVL 15

Expert Comment

by:The_Warlock
ID: 36507436
So, you basically have tunnels setup between both site A & B back to the datacenter(Headend ASA)but not between both remote locations directly? And you want to achieve encrypted traffic between remote locations without having to traverse via the headend or datacenter ASA?
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 36507445
Secondly, are all ASA's running the same verion IOS including the datacenter device IOS 8.2(1)?
0
 

Author Comment

by:eAtlanta
ID: 36507457
I think they are all running the same version of IOS.  There is a tunnel between Site A and the Datacenter and the Datacenter to Site B.  There is not a tunnel directly between Site A and Site B.  I want the traffic to flow from Site A thru the tunnel to the Datacenter and then from the Datacenter thru the other tunnel over to Site B and back.  Thanks for your help on this!!
0
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36507520
Is there an issue with setting up a VPN form A to B?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36507532
site A router needs to have a route statement for LAN at Site B

Site B router needs a route statement for LAN at Site A

datacenter router will handle the rest
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 36507536
I don't get it yet.

You have two existing site-to-site VPNs.  That implies at least 3, if not 4 sites.  So, sites Z,Y,X and maybe W.
If not sites then at least subnets.

Then you have sites A and B.  One might jump to the conclusion that A and B are Z and Y.  But, what about X and maybe W?

We could help better if the terminology were clearer.
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 36507556
The best way for us to help you fast is for you to post a sanitized config of your Datacenter ASA. If not, then you would just need to configure the datacenter ASA to allow the traffic between both tunnels of site A&B to pass-thru the datacenter ASA since we dont know if any traffic restrictions are needed and or warranted. Hope this helps.
0
 

Author Comment

by:eAtlanta
ID: 36507649
Thanks for the responses.  I would prefer not to set up a VPN form Site A to Site B. There are 3 sites.  Office Site A, Office Site B, and DataCenter Site.  There already are tunnels between the DataCenter Site and both remote sites.  Because these are Tunnels and already encrypted, we want all traffice to pass from Site A over to DataCenter Site and then on over to Site B and back of course.  There has to be some configuration to tell a packet that Site A sends across the tunnel over to the DataCenter Site - to continue on to Site B if that is where the packet's destination is.  

I've given you sanitized configs with the relevant lines for the DataCenter and for Site A above.  The acutal traffic that will be sent is Windows workstations at Site A accessing database info that resides on servers in Site B.  
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 36507686
I hope the Cisco devices will do that for you.  Honestly, I don't know how to do that.
Here's why:

You set up a VPN from Site A to the Data Center.
You set up a VPN from Site B to the Data Center.
You launch a packet from Site A destined for Site B.
Let's just say there's a separate Gateway at each site .. not the VPN device.
So, you set up a route in the Gateway at Site A to send packets destined for Site B to the VPN device.
Either:
- the VPN device gets the packets destined for Site B and doesn't know what to do with them because that's not the terminating subnet for the VPN ... so it drops those packets.
- The VPN device knows what to do with packets destined for Site B and puts them on the VPN somehow.... I'm not sure this works but let's just say it does.
- The terminating VPN device at the Data Center gets packets destined for Site B.  One would hope that it would know to forward them to the other tunnel or to another VPN device on the Site A subnet.

The return path will go through the local site Gateway device.  If it has stateful packet inspection on LAN packets then it may not recognize the state because packets arriving from the VPN don't go through the Gateway at all.  This is likely the case you have now and must have dealt with it.

I think the best bet is to set up a VPN between Site A and Site B.  You have the equipment and the connections already.  That's much easier and cleaner.  It's exactly what I'm doing with 3 sites - each site has one VPN device with 2 VPNs set up so that all sites are connected 1-to-1.
0
 

Author Comment

by:eAtlanta
ID: 36507713
I've not done this before either but I have several customers who want to do this.  I'm pretty sure it is possible.  I played around with hairpining but I can't get it to work and am not sure that bandaid like hairpining is the best solution.  I think to do it, I have to set up a way so that when the packet reaches the datacenter ASA it doesn't get NAT'ed but I'm not real knowledable on how to program NAT/NoNat that way.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36507790
if you tell site A to route site B network to datacenter, the datacenter will know where to send the packets.

if you tell site B to route site A network to datacenter, the data center will know where to send the packets.

if you want a backup route for each site set up a vpn between site A and Site B and give the route rule a lesser priority.
0
 

Author Comment

by:eAtlanta
ID: 36507831
I've included a few more lines of config for both Firewalls.  We will be adding more Sites in the future just like Site A so doing two additional VPNs for each new site will get unwieldy.  There has got to be a way to just tell the Datacenter ASA to forward on packets.  Hasn't anyone solved this at the ASA level?

The Data Center Cisco ASA (IOS 8.2(1)) which is endpoint for both Site to Site VPN's is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.10.254 255.255.255.0

**** Site to Site VPN to Site A:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list 120 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
crypto map xxxx 1 match address 120
crypto map xxxx 1 set peer A.B.C.D
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0

**** Site to Site VPN to Site B:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 130 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 2 match address 130
crypto map xxxx 2 set peer D.C.B.A
crypto map xxxx 2 set transform-set xxxx
(Next 3 lines listed again for clarity)
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
_____________________________________________________________________________________

The Cisco ASA (IOS 8.2(1)) at Site A: is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.11.254 255.255.255.0

access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 1 match address 110
crypto map xxxx 1 set peer W.X.Y.Z
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
____________________________________________________________________________________

I don't have direct access to the ASA in Site B: but I can have changes made to it.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:eAtlanta
ID: 36507861
I have played around with adding some or all of these lines in the DataCenter ASA but can't get it to work without stopping traffic from flowing thru the tunnels.  Does this make sense?

same-security-traffic permit intra-interface
access-list inside_access extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list inside_access extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
nat-control
static (inside,inside) 10.50.10.0 10.50.10.0 netmask 255.255.255.0
static (inside,inside) 10.20.11.0 10.20.11.0 netmask 255.255.255.0
global (inside) 1 interface

Seems like a couple of route statements might help here also but can't figure out exactly where to route traffic to since traffic has to go across tunnels and there is no explicit inside address for a tunnel that would be it's "default gateway".  Something like these or maybe not - I'm just guessing here:

route inside 10.50.10.0 255.255.255.0 10.10.105.254 1
route inside 10.20.11.0 255.255.255.0 10.20.11.254 1
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36507962
http://www.dslreports.com/faq/10380

looks like the answer is using 'tunnel0' as the gateway for the route
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508384
Can you post the routes and outside access lists from all of your ASAs?

0
 

Author Comment

by:eAtlanta
ID: 36508402
There is only one route statement in each ASA currently and it is listed above and points to the Cisco Router which is the default gateway outside IP adress provided by the ISP in each case.  The outside access lists for both ASA's are the same and they are:

access-list outside_access extended permit ip any any
access-list outside_access extended permit icmp any any
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508419
Access-lists on both ASAs or all 3 ASAs?
0
 

Author Comment

by:eAtlanta
ID: 36508435
I don't have the config for the ASA at Site B as i don't control it.  I do have the ability to have changes made to it.  So the Access Lists on both ASA's for Site A and the DataCenter for both inside and outside are the same:

access-list outside_access extended permit ip any any
access-list outside_access extended permit icmp any any
access-list inside_access extended permit ip any any
access-list inside_access extended permit icmp any any
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 36508441
Try addind these lines on Data Centre ASA:

access-list 120 extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0


access-list 130 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0



0
 

Author Closing Comment

by:eAtlanta
ID: 36508581
I added those lines, which now that I look were obviously missing.  Still no Joy in Mudville.  Then I try adding: same-security-traffic permit intra-interface   and Mighty Casey hits a grand slam!  There will be Joy in Mudville tonight after all.  (Did I spell Mudville right?)  

Anyway thanks a ton for pointing me to it!  You get all of the points.  I guess this is simple Hairpining without all of the extra crap I tried above.  I hope this helps others.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508607
But you had this command already configured, no?

same-security-traffic permit intra-interface

I saw it in one of your posts
0
 

Author Comment

by:eAtlanta
ID: 36508625
I was trying to get that command to work, but without your missing access lists, it wasn't enough.  I've put it in and taken it out of the config several times today.  It needs to be in there though as I tried it without it, and it does not work without it.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508651
Ah, ok, I thought it was still there :)

0
 

Author Comment

by:eAtlanta
ID: 36508656
I didn't end up using any of these commands with it though:

access-list inside_access extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list inside_access extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
nat-control
static (inside,inside) 10.50.10.0 10.50.10.0 netmask 255.255.255.0
static (inside,inside) 10.20.11.0 10.20.11.0 netmask 255.255.255.0
global (inside) 1 interface
route inside 10.50.10.0 255.255.255.0 10.10.105.254 1
route inside 10.20.11.0 255.255.255.0 10.20.11.254 1
 
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now