Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
2
Replies

ASA 5520 (DMZ + INSIDE) VPN tunnel to OUTSIDE destination

Go to solution
George Sypsomos
Level 1
Level 1

‎12-04-2015 12:12 PM

I can't find any reference to this anywhere else.

We have an ASA 5520 at our HQ site (INSIDE network) with multiple regional subnets on the DMZ interface.

We need Site-to-Site VPN connectivity between the INSIDE and a remote OUTSIDE site, as well as between the DMZ subnets and that same OUTSIDE site. The OUTSIDE interface of the ASA has to be the local VPN endpoint for all tunnels.

I have created a S2S VPN between the INSIDE and the OUTSIDE site and it works fine.

When I create a S2S VPN tunnel between a DMZ site and the same OUTSIDE site (using the same local and remote endpoints, but with a different cryptomap because the local subnet (DMZ) is different than the other INSIDE subnet, the traffic gets mapped (show crypto isakmp sa) to the same cryptomap that was created for the INSIDE to OUTSIDE tunnel, instead of to the new cryptomap, so the remote endpoint drops the traffic, and also causes invalid SPI's for the remote endpoint, which causes the original INSIDE to OUTSIDE VPN tunnel to drop occasionally.

Is this a bug?

I have also made a test S2S VPN tunnel configuring the local networks as everything INSIDE and DMZ. Using the S2S VPN wizard results in ASA only creating a NAT exempt rule for the subnet on the INSIDE interface. Can I manually create another NAT exempt rule for the DMZ side, and use this one S2S tunnel to connect the INSIDE and DMZ sites to the remote OUTSIDE site in one connection profile?

Am I building a Rube Goldberg?

Thanks,

George

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7

‎12-04-2015 04:36 PM

Hi George, 

It looks like you have an overlapping situation there, are you sure the subnets  on the inside did not overlap with the DMZ networks ?  A packet-tracer might clarify wha the ASA is actually sending. 

Also , you can merge both interfaces on the same crypto map if you wish, only make sure the NAT are configured properly.   Eg; NAT ( any, outside) source static .... 

Hope it helps

-Randy-

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rvarelac
Level 7
Level 7

‎12-04-2015 04:36 PM

Hi George, 

It looks like you have an overlapping situation there, are you sure the subnets  on the inside did not overlap with the DMZ networks ?  A packet-tracer might clarify wha the ASA is actually sending. 

Also , you can merge both interfaces on the same crypto map if you wish, only make sure the NAT are configured properly.   Eg; NAT ( any, outside) source static .... 

Hope it helps

-Randy-

0 Helpful

Go to solution
George Sypsomos
Level 1
Level 1

‎06-02-2016 07:20 AM

This solved my problem: "you can merge both interfaces on the same crypto map if you wish, only make sure the NAT are configured properly."

Apparently the ASA cannot properly determine which route-map to use when you have two internal networks (off different ASA interfaces) connected via S2S VPN tunnels to one external site, with both using the external interface of the ASA and the same remote endpoint as tunnel endpoints.

I merged the acl's on both ends, and now the traffic is flowing correctly.

I'm sorry I didn't respond to this message sooner, but I forgot I had posted it because we finally got our Cisco maintenance updated so I opened a ticket and they explained that its not something we "could" do, but instead that we "needed" to do.

I should have listened to you, Randy. Thank you.

0 Helpful
Customers Also Viewed These Support Documents