• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 454
  • Last Modified:

Configuring access between two Site to Site VPN's with a Cisco ASA Firewall

I need help configuring access in a Cisco ASA Firewall between two existing Site to Site VPN's.  The VPNs connect from an ASA in each remote office to the ASA in a Data Center.  These VPN's work fine now for access to the servers in the data center.

I need to be able to access servers located at Site B from workstations at Site A.
What do I need to add to the existing configurations to allow traffic to flow from
10.20.11.0/24 subnet to the 10.50.10.0/24 subnet and back?

From the Data Center I can ping to both Site A and Site B successfully and I can ping from both Site A and Site B to the Data Center successfully.  When completed I hope to be able to ping directly from Site A to Site B.

Current Config info:
_____________________________________________________________________________________
The Data Center Cisco ASA (IOS 8.2(1)) which is endpoint for both Site to Site VPN's is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.10.254 255.255.255.0

**** Site to Site VPN to Site A:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list 120 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
crypto map xxxx 1 match address 120
crypto map xxxx 1 set peer A.B.C.D
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0

**** Site to Site VPN to Site B:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 130 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 2 match address 130
crypto map xxxx 2 set peer D.C.B.A
crypto map xxxx 2 set transform-set xxxx
(Next 3 lines listed again for clarity)
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
_____________________________________________________________________________________

The Cisco ASA (IOS 8.2(1)) at Site A: is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.11.254 255.255.255.0

access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 1 match address 110
crypto map xxxx 1 set peer W.X.Y.Z
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
____________________________________________________________________________________

I don't have direct access to the ASA in Site B: but I can have changes made to it.

0
eAtlanta
Asked:
eAtlanta
  • 10
  • 5
  • 3
  • +3
1 Solution
 
Robert Sutton JrSenior Network ManagerCommented:
So, you basically have tunnels setup between both site A & B back to the datacenter(Headend ASA)but not between both remote locations directly? And you want to achieve encrypted traffic between remote locations without having to traverse via the headend or datacenter ASA?
0
 
Robert Sutton JrSenior Network ManagerCommented:
Secondly, are all ASA's running the same verion IOS including the datacenter device IOS 8.2(1)?
0
 
eAtlantaAuthor Commented:
I think they are all running the same version of IOS.  There is a tunnel between Site A and the Datacenter and the Datacenter to Site B.  There is not a tunnel directly between Site A and Site B.  I want the traffic to flow from Site A thru the tunnel to the Datacenter and then from the Datacenter thru the other tunnel over to Site B and back.  Thanks for your help on this!!
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
SuperTacoCommented:
Is there an issue with setting up a VPN form A to B?
0
 
Greg HejlCommented:
site A router needs to have a route statement for LAN at Site B

Site B router needs a route statement for LAN at Site A

datacenter router will handle the rest
0
 
Fred MarshallCommented:
I don't get it yet.

You have two existing site-to-site VPNs.  That implies at least 3, if not 4 sites.  So, sites Z,Y,X and maybe W.
If not sites then at least subnets.

Then you have sites A and B.  One might jump to the conclusion that A and B are Z and Y.  But, what about X and maybe W?

We could help better if the terminology were clearer.
0
 
Robert Sutton JrSenior Network ManagerCommented:
The best way for us to help you fast is for you to post a sanitized config of your Datacenter ASA. If not, then you would just need to configure the datacenter ASA to allow the traffic between both tunnels of site A&B to pass-thru the datacenter ASA since we dont know if any traffic restrictions are needed and or warranted. Hope this helps.
0
 
eAtlantaAuthor Commented:
Thanks for the responses.  I would prefer not to set up a VPN form Site A to Site B. There are 3 sites.  Office Site A, Office Site B, and DataCenter Site.  There already are tunnels between the DataCenter Site and both remote sites.  Because these are Tunnels and already encrypted, we want all traffice to pass from Site A over to DataCenter Site and then on over to Site B and back of course.  There has to be some configuration to tell a packet that Site A sends across the tunnel over to the DataCenter Site - to continue on to Site B if that is where the packet's destination is.  

I've given you sanitized configs with the relevant lines for the DataCenter and for Site A above.  The acutal traffic that will be sent is Windows workstations at Site A accessing database info that resides on servers in Site B.  
0
 
Fred MarshallCommented:
I hope the Cisco devices will do that for you.  Honestly, I don't know how to do that.
Here's why:

You set up a VPN from Site A to the Data Center.
You set up a VPN from Site B to the Data Center.
You launch a packet from Site A destined for Site B.
Let's just say there's a separate Gateway at each site .. not the VPN device.
So, you set up a route in the Gateway at Site A to send packets destined for Site B to the VPN device.
Either:
- the VPN device gets the packets destined for Site B and doesn't know what to do with them because that's not the terminating subnet for the VPN ... so it drops those packets.
- The VPN device knows what to do with packets destined for Site B and puts them on the VPN somehow.... I'm not sure this works but let's just say it does.
- The terminating VPN device at the Data Center gets packets destined for Site B.  One would hope that it would know to forward them to the other tunnel or to another VPN device on the Site A subnet.

The return path will go through the local site Gateway device.  If it has stateful packet inspection on LAN packets then it may not recognize the state because packets arriving from the VPN don't go through the Gateway at all.  This is likely the case you have now and must have dealt with it.

I think the best bet is to set up a VPN between Site A and Site B.  You have the equipment and the connections already.  That's much easier and cleaner.  It's exactly what I'm doing with 3 sites - each site has one VPN device with 2 VPNs set up so that all sites are connected 1-to-1.
0
 
eAtlantaAuthor Commented:
I've not done this before either but I have several customers who want to do this.  I'm pretty sure it is possible.  I played around with hairpining but I can't get it to work and am not sure that bandaid like hairpining is the best solution.  I think to do it, I have to set up a way so that when the packet reaches the datacenter ASA it doesn't get NAT'ed but I'm not real knowledable on how to program NAT/NoNat that way.
0
 
Greg HejlCommented:
if you tell site A to route site B network to datacenter, the datacenter will know where to send the packets.

if you tell site B to route site A network to datacenter, the data center will know where to send the packets.

if you want a backup route for each site set up a vpn between site A and Site B and give the route rule a lesser priority.
0
 
eAtlantaAuthor Commented:
I've included a few more lines of config for both Firewalls.  We will be adding more Sites in the future just like Site A so doing two additional VPNs for each new site will get unwieldy.  There has got to be a way to just tell the Datacenter ASA to forward on packets.  Hasn't anyone solved this at the ASA level?

The Data Center Cisco ASA (IOS 8.2(1)) which is endpoint for both Site to Site VPN's is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.10.254 255.255.255.0

**** Site to Site VPN to Site A:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list 120 extended permit ip 10.20.10.0 255.255.255.0 10.20.11.0 255.255.255.0
crypto map xxxx 1 match address 120
crypto map xxxx 1 set peer A.B.C.D
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0

**** Site to Site VPN to Site B:
access-list 100 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 130 extended permit ip 10.20.10.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 2 match address 130
crypto map xxxx 2 set peer D.C.B.A
crypto map xxxx 2 set transform-set xxxx
(Next 3 lines listed again for clarity)
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
_____________________________________________________________________________________

The Cisco ASA (IOS 8.2(1)) at Site A: is configured:

interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.11.254 255.255.255.0

access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 100 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 110 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
crypto map xxxx 1 match address 110
crypto map xxxx 1 set peer W.X.Y.Z
crypto map xxxx 1 set transform-set xxxx
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
____________________________________________________________________________________

I don't have direct access to the ASA in Site B: but I can have changes made to it.
0
 
eAtlantaAuthor Commented:
I have played around with adding some or all of these lines in the DataCenter ASA but can't get it to work without stopping traffic from flowing thru the tunnels.  Does this make sense?

same-security-traffic permit intra-interface
access-list inside_access extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list inside_access extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
nat-control
static (inside,inside) 10.50.10.0 10.50.10.0 netmask 255.255.255.0
static (inside,inside) 10.20.11.0 10.20.11.0 netmask 255.255.255.0
global (inside) 1 interface

Seems like a couple of route statements might help here also but can't figure out exactly where to route traffic to since traffic has to go across tunnels and there is no explicit inside address for a tunnel that would be it's "default gateway".  Something like these or maybe not - I'm just guessing here:

route inside 10.50.10.0 255.255.255.0 10.10.105.254 1
route inside 10.20.11.0 255.255.255.0 10.20.11.254 1
0
 
Greg HejlCommented:
http://www.dslreports.com/faq/10380

looks like the answer is using 'tunnel0' as the gateway for the route
0
 
fgasimzadeCommented:
Can you post the routes and outside access lists from all of your ASAs?

0
 
eAtlantaAuthor Commented:
There is only one route statement in each ASA currently and it is listed above and points to the Cisco Router which is the default gateway outside IP adress provided by the ISP in each case.  The outside access lists for both ASA's are the same and they are:

access-list outside_access extended permit ip any any
access-list outside_access extended permit icmp any any
0
 
fgasimzadeCommented:
Access-lists on both ASAs or all 3 ASAs?
0
 
eAtlantaAuthor Commented:
I don't have the config for the ASA at Site B as i don't control it.  I do have the ability to have changes made to it.  So the Access Lists on both ASA's for Site A and the DataCenter for both inside and outside are the same:

access-list outside_access extended permit ip any any
access-list outside_access extended permit icmp any any
access-list inside_access extended permit ip any any
access-list inside_access extended permit icmp any any
0
 
fgasimzadeCommented:
Try addind these lines on Data Centre ASA:

access-list 120 extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0


access-list 130 extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0



0
 
eAtlantaAuthor Commented:
I added those lines, which now that I look were obviously missing.  Still no Joy in Mudville.  Then I try adding: same-security-traffic permit intra-interface   and Mighty Casey hits a grand slam!  There will be Joy in Mudville tonight after all.  (Did I spell Mudville right?)  

Anyway thanks a ton for pointing me to it!  You get all of the points.  I guess this is simple Hairpining without all of the extra crap I tried above.  I hope this helps others.
0
 
fgasimzadeCommented:
But you had this command already configured, no?

same-security-traffic permit intra-interface

I saw it in one of your posts
0
 
eAtlantaAuthor Commented:
I was trying to get that command to work, but without your missing access lists, it wasn't enough.  I've put it in and taken it out of the config several times today.  It needs to be in there though as I tried it without it, and it does not work without it.
0
 
fgasimzadeCommented:
Ah, ok, I thought it was still there :)

0
 
eAtlantaAuthor Commented:
I didn't end up using any of these commands with it though:

access-list inside_access extended permit ip 10.50.10.0 255.255.255.0 10.20.11.0 255.255.255.0
access-list inside_access extended permit ip 10.20.11.0 255.255.255.0 10.50.10.0 255.255.255.0
nat-control
static (inside,inside) 10.50.10.0 10.50.10.0 netmask 255.255.255.0
static (inside,inside) 10.20.11.0 10.20.11.0 netmask 255.255.255.0
global (inside) 1 interface
route inside 10.50.10.0 255.255.255.0 10.10.105.254 1
route inside 10.20.11.0 255.255.255.0 10.20.11.254 1
 
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

  • 10
  • 5
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now