cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
354
Views
0
Helpful
3
Replies

Routing traffic between 2 site-to-site VPN

Kurt Lei
Level 1
Level 1

Hi all,

In the diagram, I'm going to build connection from PC1 to PC2 via 2 VPN tunnels. Now, I observed the traffic in ASA2

> VPN2 seems normal (i.e. encaps and decaps are accumulated)
access-list outside_cryptomap_440 extended permit ip 10.130.107.0 255.255.255.0 host 10.130.96.12
local ident (addr/mask/prot/port): (10.130.107.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.130.96.12/255.255.255.255/0/0)
current_peer: 62.146.20.148

#pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
#pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104

> However, VPN1 seems can't encap back HKDC side.
access-list outside_cryptomap_ES3toDC extended permit ip 10.130.96.0 255.255.255.0 10.130.107.0 255.255.255.0
local ident (addr/mask/prot/port): (10.130.96.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.130.107.0/255.255.255.0/0/0)
current_peer: 175.45.32.126

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105

I want to ask a question, can we route the traffic in the same outside interface like my design ? I am thinking whether my access-list is wrongly configured.

3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

Either you are missing a route or a NAT for this traffic.

Also check if ESP traffic is being allowed between the VPN1 peers.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi Aditya,

At the beginning, I also suspect I missed routes or NAT exempt.

I have added below commands in ASA2 but still failed.

route outside 10.130.107.0 255.255.255.0 [ISP gateway]

nat (any,outside) source static 10.130.96.0 10.130.96.0 destination static 10.130.107.0 10.130.107.0 no-proxy-arp

Also, do you mean it should allow port 500,4500 on both ASA outside interface on both VPN1 peers ?

Hi Kurt,

ESP is a different protocol and you need to allow it specifically.

UDP 500/4500 is for isakmp/non-isakmp traffic and is used in Phase 1 while ESP is used to encapsulate the actual traffic..

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Review Cisco Networking for a $25 gift card