Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
1
Replies

multiple vpn3k lan to lan

djenkins
Level 1
Level 1

‎01-16-2007 03:19 AM - edited ‎02-21-2020 01:22 AM

Hope you guys can help; I'll start by outlining the current situation.

We have a small site in Malaysia (KL) that has a vpn 3000 concentrator. This has a single ipsec lan-to-lan tunnel with our head office in the US. All traffic goes over this tunnel, there is no local breakout for Internet or email; the firewall is in the US, as is the mail server.

The IT dept supporting Asia is in the UK (a main site on our WAN). When remote controlling machines, or copying files, the traffic goes to the states first, and then to KL (slow).

Solution? I've got an ASA in the UK connected to a DSL line. I've created a tunnel between KL and the UK and modified the routing on the UK LAN to pass traffic bound for the KL LAN, to the ASA.

I think my problem lies with the network-lists on the KL vpn3k (I stand to be corrected).

I have two network lists; one for the US tunnel, and one for the UK tunnel. If this were IP routing statements, I'd have something like:

0.0.0.0 0.0.0.0 US Tunnel

followed by the specific subnets in the UK.

Basically, I'd like a way of telling the vpn3k in KL to send traffic to the US unless otherwise stated. Is this possible?

My understanding of the network-lists is that, if I put the '0' network in the US tunnel's network list, it'll send all traffic there including the traffic I actually want to go to the UK; is this correct? Is there a way round this? As the Internet, and lots of other services are via the US, it's not possible to create a network list that catches all.

thanks so much for your help.

0 Helpful
1 Reply 1

Not applicable

‎01-22-2007 07:53 AM

With Release 3.6.1, you can also enable NAT traversal for LAN-to-LAN sessions. For a LAN-to-LAN connection, you must also check the IPSec over NAT-T check box in the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen.

LAN-to-LAN NAT Traversal has the following limitations and requirements:

You must open UDP port 4500 on any firewall you have configured in front of a VPN Concentrator. This is the destination port for the inbound direction from any source port.

Because NAT-T depends on UDP port 4500 being available, if a previous IPSec/UDP configuration is already using that port, you must reconfigure that earlier IPSec/UDP configuration to use a different UDP port.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card