Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2554
Views
33
Helpful
16
Replies

Adding another IPSec tunnel

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-26-2010 07:51 AM - edited ‎02-21-2020 05:03 PM

I have two remote sites (PIX501's) connecting to the hub (2811). All sites can talk to all sites. For the spokes to talk, they go through the hub. I'm trying add a third site and I can get connectivity to the hub no problem, but not the spokes. Below is a show crypto ipsec sa from the new site.

Hub site: 192.168.12.0 /24

Remote site A: 192.168.13.0 /24 (working)

Remote site B: 192.168.14.0 /24 (working)

Remote site C: 192.168.15.0 /24 (not working)

There is also a diagram attached that show all this a little better.

This looks good other than there are no remotes sites. Connectivity to this network is just fine and it is the hub.

access-list 130 extended permit ip 192.168.15.0 255.255.255.0 192.168.12.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)

Here is the same command from one of the working sites.

local  ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)


local  ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)


local  ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)

As you can see it builds the tunnel to the hub and each remote site. I can't get the new ASA to do the same. It looks to me like the problem is on the hub. I've removed the crypto map from the interface, built the VPN config multiple times, etc, etc. Please tell me I'm missing something easy. Thanks.

Labels:
Preview file
38 KB
0 Helpful
16 Replies 16

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Marcin Latosiewicz

‎12-29-2010 09:12 AM

Marcin-

Adding the reverse route on the ASA (192.168.15.0) fixed it! I can now get to 192.168.13.0! All I have to do is figure out the difference between the other tunnels since I've made a million changes. I greatly appreciate the time and effort you put forth helping me with this. If there is anything you ever need, PM me. Thanks again!

PS- Should I be doing this on the other remotes (they are PIX if that makes a difference).

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Collin Clark

‎12-29-2010 10:34 AM

Collin,

Glad you got it working, hopefully people reading this thread in future will find a nice how-to-troubleshoot thread.

Regrading help, I might take you up on this, so be careful what you offer.

Have a good one and Happy New Year (just in case).

Until next thread,

Marcin

0 Helpful
Customers Also Viewed These Support Documents