https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369369#M969433 <HTML><HEAD></HEAD><BODY><P>Have Tx end tech check the configs. Try debug icmps and see where the replies dropped.</P><P></P><P>hth</P><P>MS</P></BODY></HTML> Thu, 10 Dec 2009 21:33:34 GMT mvsheik123 2009-12-10T21:33:34Z https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369363#M969427 <P>I was able to built tunnel between L2L fallowing this example:<SPAN style="font-size: 10pt;">"Add a New Tunnel or Remote Access to an Existing L2L VPN"</SPAN></P><P>I've tried to add other tunnel to the NY (HQ) Firewall. Is it possible to add more tunnel ?</P><P>My configuration is TN, NY, and CA tunneled between each other. Everyone have access to each other network. We've setup a new tunnel to access TX through NY but only TN and NY can access TX. I can't access TX from CA. Are there any restriction in the number of tunnel on NY.</P><P>NY is a Cisco ASA 5510</P><P>TN is a Cisco PIX 515</P><P>CA is a Cisco ASA 5510</P> Fri, 21 Feb 2020 11:49:24 GMT https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369363#M969427 martin.loiselle 2020-02-21T11:49:24Z https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369364#M969428 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>5510 with Sec+ license will suppprt upto 250vpn peers. Looks like your issue relates to more of configuration (ex:hairpin ACLs/routes)&gt; please post the sanitized configs.</P><P></P><P>hth</P><P>MS</P></BODY></HTML> Thu, 10 Dec 2009 15:34:28 GMT https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369364#M969428 mvsheik123 2009-12-10T15:34:28Z https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369365#M969429 <HTML><HEAD></HEAD><BODY><P><STRONG style="text-decoration: underline; ">Let say this is the NY firewall:</STRONG></P><P></P><P>ASA Version 8.0(4)</P><P>!</P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address x.x.x.x 255.255.255.240</P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.10.20.x 255.255.255.0</P><P>...</P><P>same-security-traffic permit intra-interface</P><P>...</P><P>access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0</P><P>access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0</P><P>access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0</P><P>access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0</P><P>access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.20.0 255.255.255.0</P><P>access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list vpn_no-nat extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0</P><P>access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 172.16.100.0 255.255.255.0</P><P>.....</P><P>access-list vpn_CA extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0</P><P>access-list vpn_CA extended permit ip 10.29.68.0 255.255.255.0&nbsp; 10.10.50.0 255.255.255.0</P><P>....</P><P>access-list vpn_TN extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list vpn_TN extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>....</P><P>access-list vpn_TX extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0</P><P>access-list vpn_TX extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0</P><P>access-list vpn_TX extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0</P><P>....</P><P>ip verify reverse-path interface outside</P><P>.....</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list vpn_no-nat</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>.....</P><P>access-group acl-out in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 x.x.x.x 1</P><P>....</P><P>sysopt connection preserve-vpn-flows</P><P>...</P><P>crypto map medrium_vpns interface outside</P><P>crypto isakmp enable outside</P><P>...</P><P> split-tunnel-policy tunnelall</P><P>===========================================================</P></BODY></HTML> Thu, 10 Dec 2009 16:26:55 GMT https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369365#M969429 martin.loiselle 2009-12-10T16:26:55Z https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369366#M969430 <HTML><HEAD></HEAD><BODY><P><SPAN style="background-color: #f8fafd;">ACL statements looks correct on NY end. do you have config for tx end?</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Also, here are my 2 cents.. you may not need all those 'nonat' statements for spoke-spoke subnets. The traffic not originated from NY end (inside).</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">ex: access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">hth</SPAN></P><P><SPAN style="background-color: #f8fafd;">MS</SPAN></P></BODY></HTML> Thu, 10 Dec 2009 16:56:27 GMT https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369366#M969430 mvsheik123 2009-12-10T16:56:27Z https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369367#M969431 <HTML><HEAD></HEAD><BODY><P><SPAN style="text-decoration: underline;">This is CA firewall: (the one that is not able to talk to TX)<BR /></SPAN></P><P><BR /> access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0<BR /> access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.1.0 255.255.255.0<BR /> access-list vpn_no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0<BR /> access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0<BR /> access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0<BR /> access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0<BR /> <BR /> access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0<BR /> access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0<BR /> <BR /> access-list vpn_TN extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list vpn_no-nat</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>access-group acl-out in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 x.x.x.x 1</P><P>route inside 192.168.2.0 255.255.255.0 10.10.50.1 1</P></BODY></HTML> Thu, 10 Dec 2009 17:17:00 GMT https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369367#M969431 martin.loiselle 2009-12-10T17:17:00Z https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369368#M969432 <HTML><HEAD></HEAD><BODY><P>Unfortunately, i can't have TX configuration since i don't manage that one.</P></BODY></HTML> Thu, 10 Dec 2009 18:14:52 GMT https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369368#M969432 martin.loiselle 2009-12-10T18:14:52Z https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369369#M969433 <HTML><HEAD></HEAD><BODY><P>Have Tx end tech check the configs. Try debug icmps and see where the replies dropped.</P><P></P><P>hth</P><P>MS</P></BODY></HTML> Thu, 10 Dec 2009 21:33:34 GMT https://community.cisco.com/t5/network-security/how-to-add-multiple-tunnel-to-an-existing-l2l/m-p/1369369#M969433 mvsheik123 2009-12-10T21:33:34Z