No announcement yet.

route through one l2l VPN into another l2l VPN

  • Filter
  • Time
  • Show
Clear All
new posts

  • route through one l2l VPN into another l2l VPN

    Hello all, the place where I work recently purchased 2 5505 and 1 5510 ASA's. They are not in production, and as no one here has a lot of experience with Cisco and certainly not with ASA's I'm taking the time to learn as much as I can before we replace our aging Sonicwall with the 5510. Eventually the 5505's will be placed at branch offices where we will setup VPN tunnels over the internet as backups to the DS1 circuits we currently have connecting us together.

    I'm taking this learning process a bit at a time. I've gone through a basic setup with NAT(PAT) for allowing internal clients access to the internet....allowing the outside to access the inside network (RDP, SMTP...etc) and getting more than one site to site tunnel established to a single ASA.

    Here's what I want to do next but I can't seem to get it going.

    I have 3 ASA's. Two 5505's named SCLIFF and MEADOWS. The 5510 is called MAIN.

    As it's setup right now I have a VPN from MAIN - SCLIFF and a VPN from MEADOWS - SCLIFF. What I want to do is route traffic originating from the internal network on MAIN through SCLIFF to the internal network on MEADOWS and from MEADOWS back to MAIN. I know I could just establish a VPN between MAIN and MEADOWS but that's not the point. I'm trying to figure out how to do the routing through multiple VPN's in a non meshed topology.

    Here are my configs in case you would like to look through them.




    Any suggestions are greatly appreciated!!
    Last edited by bill_sffcu; 27th June 2008, 20:32.
    CCA: XenApp 5.0

  • #2
    Re: route through one l2l VPN into another l2l VPN

    NOTE: FYI, I'm not new to Cisco but is has been a long time since I've worked with with the stuff. I've had next to no experience working with ASA's before about 2 weeks ago when I sat down determined to learn our new equipment. So, with that said I would definitely defer to the resident Cisco experts when my advice differs from theirs.

    Alright, here's how I got it to work.

    My setup for those who don't want to parse through the configs.

    inside network

    inside network

    inside network

    VPN from MAIN to SCLIFF
    SCLIFF is acting as a 'hub' for the VPN's if you will.

    Alright. I'm going to assume that anyone reading this already knows how to setup a site to site VPN and understands the pieces necessary to get that working.

    As it was before I could get from the 10.0 to the 12.0 or 11.0 networks because they were directly connected via the VPN tunnels. I could not get from the 11.0 to the 12.0 networks, or the other way around.

    There were three basic things I had to change.

    1. Modifying my existing access-lists to allow the traffic between the networks.
    2. Modifying my existing access-lists to stop NAT for the traffic between the networks.
    3. Adding the same-security-traffic permit intra-interface to the SCLIFF ASA.

    1: I had to modify access-lists on all three ASA. For example, on the MAIN ASA I already had this line in permitting traffic to the SCLIFF network.
    access-list main-scliff extended permit ip
    I needed to add this line.
    access-list main-scliff extended permit ip

    Likewise on the MEADOWS ASA I needed to add an entry allowing traffic from 11.0 to 12.0.

    On the SCLIFF router I had to add two entries. One of the entries is to allow traffic going from 11.0 to 12.0 and the other entry allows traffic going from 12.0 to 11.0.

    NOTE: This is a bit of a misnomer. The access-lists I'm modifying are the lists that are applied to the crypto map that designates what traffic should be encrypted over the VPN tunnel.

    2: I had to modify the access-list used to bypass NAT.
    Once again using the MAIN ASA as an example.
    Here's what I already had in place.
    access-list nonat extended permit ip
    This access-list was used to determine what traffic was nat-exempt with this command.
    nat (inside) 0 access-list nonat

    I needed to add the following line to the access-list.
    access-list nonat extended permit ip

    Of course a similar modification was made at the MEADOWS ASA.

    3: Lastly I needed to add this command to the SCLIFF ASA.
    same-security-traffic permit intra-interface

    Not 100% sure why, but I believe it's because the traffic between 11.0 and 12.0 is comming into the SCLIFF ASA and then going right back out the same interface. Applying this setting allows that to happen.

    So there it is. Please let me know if you have any criticism, comments, questions. I'm still learning this stuff myself so I hope this helps shed some light on the subject for anyone else having trouble.

    Best of luck!!
    CCA: XenApp 5.0