ASA site to site VPN assistance

If you look at network diagram, the corporate Office 1 ASA has a site to site VPN to all other locations.  We just opened up Corporate Office 2 and installed an ASA5510 as seen at the bottom.  I created a VPN between Corporate Office 1 and Corporate Office 2.  Now from Corporate Office 2, I want to be able to reach all the datacenters up top.  I don’t’ want to create a separate VPN on the Corporate Office 2 ASA5510 to all the Datacenters.  The question is since I have a VPN between the two corporate Offices, how do I access all the datacenters from Corporate Office 2 going through Corporate Office 1?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:

Honestly i have never build such a setup but let me think with you.
Now beween branch office 1 and 2 are 2 ACcess-List active right? Both same but vice versa.

My guess is you need an ACL to each tunnel in the office 1 config.
Like: access-list permit branch2 datacenter1
Access-list permit branch2 datacenter2
ffleismaSenior Network EngineerCommented:
Basically what you are doing is making the Corporate Office 1 as your hub with the each DC ASA and Corporate Office 2 as the spokes. Additionally you are requiring spoke-to-spoke communication (more specifically Corporate Office 2 to each DC ASA).

 I don't necessarily agree with the design and it is more often preferred to have the hub as the DC. However this doesn't mean it is not possible. What you would like to look into is "hub and spoke ASA VPN". Here are a few links that can help you depending whether you are configuring via CLI or ASDM and depending on your ASA version.

The basic idea is that on the Hub (Corporate Office 1), try looking into same-security-traffic permit intra-interface. This permits traffic incoming from an interface to go out the same interface (outside/internet interface).

In Summary:
On the DC ASA
include Corporate Office 2 subnet in the ACL, NAT and Crypto config relating to Corporate Office 1
On the Corporate Office 1
create new ACL, NAT, and crypto config relating to Corporate Office 2
configure same-security-traffic permit intra-interface
include Corporate Office 2 subnet in the ACL, NAT and Crypto config relating to each DC ASA
On the Corporate Office 2
create new ACL, NAT, and crypto config relating to Corporate Office 1

Now as you can see, you'll still have to touch the config on each of the ASA on the DC, so my suggestion would be why not just have Corporate Office 2 go directly to each DC. This would be more efficient and would avoid using bandwidth twice on corporate office 1 (incoming/outgoing) when Corporate Office 2 needs to talk to each of the DC.

Hope this helps and gives you some idea, let us know if you have further question and I'll be glad to help out!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
ffleisma, is correct, If office 2 was of any size I would put in a VPN from it to each DC, but this does not scale very well if you are going to expand!
denver218Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.