cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
931
Views
0
Helpful
4
Replies
Beginner

CISCO ASA 5510 VPN L2L with remote CISCO Router (HSRP LAN)

Hi

I'll have a problem to configure VPN Ipsec l2l between my CISCO ASA 5510 with HA and a remote lan configured with 2 cisco router with HSRP on lan.

I'll configure a static crypto map with the definition of the two peer (master and backup).

Sometimes happen that the vpn is instaured with the backup router. The phase2 is up but no traffic pass between the two net

Everyone's tags (5)
4 REPLIES 4

CISCO ASA 5510 VPN L2L with remote CISCO Router (HSRP LAN)

Hi,

Why do you add two peers? On the ASA you only need one, the VIP.

As you know, in a specific HSRP group there is one VIP, this is going to be considered the VPN peer.

Please let me know.

Portu.

Please rate any helpful posts

CISCO ASA 5510 VPN L2L with remote CISCO Router (HSRP LAN)

Hello,

As I understood you have an active/standby failover cluster on the ASA side and then a HSRP cloud for the local area network on the router's side. But for the WAN side you are using 2 different broadcast domain. That is why you have 2 crypto-map peers and 2 tunnel-groups on your asa, Correct?

Now, can you check if you have the same crypto ACL for both peers??? If possible post the configuration from the active ASA and the 2 routers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

CISCO ASA 5510 VPN L2L with remote CISCO Router (HSRP LAN)

Hi how Julio said

I have the HSRP only on the router on the LAN side.

My ASA configuration is the following

access-list aclVpn extended permit ip 172.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0

access-list nonat extended permit ip 172.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0

crypto map cryptosede 1 match address aclVpn

crypto map cryptosede 1 set peer peerHDSL peerADSL

crypto map cryptosede 1 set transform-set fimuset

crypto map cryptosede 1 set security-association lifetime seconds 28800

tunnel-group peerHDSL  type ipsec-l2l

tunnel-group peerHDSL 1 ipsec-attributes

pre-shared-key *

tunnel-group peerADSL type ipsec-l2l

tunnel-group peerADSL ipsec-attributes

pre-shared-key *

Do you think that I need to create two separate ACL and crypto map?

Sometimes happen that the vpn comes up on both router and traffic are split (trasmission packet are on one peer and received packet on the otherone)

CISCO ASA 5510 VPN L2L with remote CISCO Router (HSRP LAN)

Hello,

No, on the ASA side you are fine.

Now on the router side is where you need 2 as you have 2 outside WAN interfaces.

Are you using 2 broadcast domain on the router side?

Remember to rate all of the helpful posts ( if you need to know how to rate the posts let me know )

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC