New tunnel to Data Centre - remote subnet is the same

wayne.fulton1 · ‎01-25-2016

Hi all,

I have an ASA at the office with a VPN tunnel to the data centre. All works fine.

I now need to point the office ASA to a backup IP address at the data centre. But I have a query I am not sure about.

- My office LAN is on subnet 10.10.1.0 255.255.255.0 and the current data centre remote subnet is 10.10.14.0 255.255.255.0

- I have one crypto map with a peer address of the data centre ASA and a match address statement which includes the data centre subnet of 10.10.14.0 255.255.255.0

However, lets say I add another crypto map with a peer address of the backup data centre IP address and use the same transforms sets, Ikev policies etc, fine BUT surely if I add the same match address statement as the other crypto map this will cause routing issues? Because both crypto maps will have the same match address statement for the far end subnet which is 10.10.14.0 255.255.255.0

To clarify.. the backup data centre ASA is on the same subnet (internal subnet) 10.10.14.0 255.255.255.0 as the main data centre ASA.

So if a packet on my LAN in the office is destined for 10.10.14.23 how does the ASA know which crypto map to send the packet over?

Thanks in advance.

wayne.fulton1 · ‎01-25-2016

i think I know the answer to this - if I have two crypto maps using the same match address statement - the ASA will match the crypto map with the lowest number first therefore route packets over crypto map 1 before crypto map 2. If the peer used by crypto map 1 is offline then the ASA will use the peer specified in crypto map 2.

Thanks anyway.