Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
3
Replies

Routing traffic between 2 site-to-site VPN

Kurt Lei
Level 1
Level 1

‎06-13-2016 09:36 PM - edited ‎03-12-2019 12:52 AM

Hi all,

In the diagram, I'm going to build connection from PC1 to PC2 via 2 VPN tunnels. Now, I observed the traffic in ASA2

> VPN2 seems normal (i.e. encaps and decaps are accumulated)
access-list outside_cryptomap_440 extended permit ip 10.130.107.0 255.255.255.0 host 10.130.96.12
local ident (addr/mask/prot/port): (10.130.107.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.130.96.12/255.255.255.255/0/0)
current_peer: 62.146.20.148

#pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
#pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104

> However, VPN1 seems can't encap back HKDC side.
access-list outside_cryptomap_ES3toDC extended permit ip 10.130.96.0 255.255.255.0 10.130.107.0 255.255.255.0
local ident (addr/mask/prot/port): (10.130.96.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.130.107.0/255.255.255.0/0/0)
current_peer: 175.45.32.126

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105

I want to ask a question, can we route the traffic in the same outside interface like my design ? I am thinking whether my access-list is wrongly configured.

Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-13-2016 10:02 PM

Hi,

Either you are missing a route or a NAT for this traffic.

Also check if ESP traffic is being allowed between the VPN1 peers.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Kurt Lei
Level 1
Level 1
In response to Aditya Ganjoo

‎06-13-2016 10:42 PM

Hi Aditya,

At the beginning, I also suspect I missed routes or NAT exempt.

I have added below commands in ASA2 but still failed.

route outside 10.130.107.0 255.255.255.0 [ISP gateway]

nat (any,outside) source static 10.130.96.0 10.130.96.0 destination static 10.130.107.0 10.130.107.0 no-proxy-arp

Also, do you mean it should allow port 500,4500 on both ASA outside interface on both VPN1 peers ?

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Kurt Lei

‎06-13-2016 11:59 PM

Hi Kurt,

ESP is a different protocol and you need to allow it specifically.

UDP 500/4500 is for isakmp/non-isakmp traffic and is used in Phase 1 while ESP is used to encapsulate the actual traffic..

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card