Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
2
Replies

2 VPN tunnels with Same traffic

vinayjaiswal
Level 3
Level 3

‎04-03-2018 06:30 AM - edited ‎03-12-2019 05:09 AM

Hi Team ,

 

I have an ASA 5585 running in multi context mode.

 

I already have an IPSEC VPN running on system with source as 10.0.0.0/8.

 

Now I have to create one more VPN with source as 10.2.0.0/16 network.

 

The problem is that 10.2.00.00 is also being used at new peer. So they want me to NAT the 10.2.0.0 ip behind 10.250.x.x ip.

 

But my concern is that 10.250.0.0 also falls in 10.0.0.0 and therefore the traffic would go from existing VPN.

 

I tried to add a deny statement for 10.250.x.x IP above the permit statement  in interesting traffic for existing VPN.

But My VPN is not coming up. Not even initiating.

 

sh crypto isa sa shows only existing VPN

 

Labels:
0 Helpful
2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

‎04-03-2018 07:08 AM

Deny statement in crypto acl works, so it should be something else.

Can you post a packet-tracer with details ?

0 Helpful

vinayjaiswal
Level 3
Level 3
In response to Bogdan Nita

‎04-03-2018 07:16 AM

I thought the same.

But something is going wrong.

When I remove the deny statement from interesting traffic , I can see VPN phase in packet tracer and it must be going through existing VPN.

However , when I put deny statement and then packet-tracer , it doesn't show VPN phase in output.
0 Helpful
Customers Also Viewed These Support Documents