cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4172
Views
0
Helpful
2
Replies

ASA 5510 multiple VPN tunnels via different interfaces

spence
Level 1
Level 1

Is it possible to create VPN tunnels out more than one interface of an ASA (specifically 5510 with 8.4) , or am I trying to do the impossible?

We have 2 public interfaces on our ASA connected to 2 different ISPs.

We have working L2L tunnels from the ASA to remote offices via the interface that is our "primary" ISP and also used as our default gateway for internet traffic.

We are trying to move one remote office to use our secondary connection for its tunnel (high-traffic office that we would prefer to separate away from the rest of our internet and VPN traffic).

I can create the tunnel with appropriate ACL for tunnel traffic, crypto map, etc., set up a static route to force the ASA to use the secondary interface for traffic destined to the public IP of the remote gateway, and when I'm done, traffic initiated by the remote site will cause the tunnel to negotiate and come up - I can see the tunnel in show crypto ikev1 sa as L2L responder MM_ACTIVE, show ipsec sa  with correct destination and correct local/remote identities for interesting traffic, but the local ASA never tries to send traffic out the tunnel.  If I use packet tracer, it never shows a VPN involved in traffic from main office to the remote office as if the ASA isn't seeing this as matching traffic for the VPN tunnel.

If I take the exact same access-list and crypo map statements and change them to use the primary ISP's connection (and, of course, change the IP the remote field office is connecting to), then the connection works as expected.

What am I missing?

Here's a sample of the VPN config:  (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice, 192.168.3.0/24 is FieldOffice)

access-list PUBLIC_B_map extended permit 192.168.0.0 255.255.254.0 192.168.3.0 255.255.255.0

nat(INSIDE,PUBLIC_B) source static MainOffice MainOffice static FieldOffice FieldOffice

crypto map PUBLIC_B_map 10 match address PUBLIC_B_map

crypto map PUBLIC_B_map 10 set peer x.x.x.x

crypto map PUBLIC_B_map 10 set ikev1 transform-set ESP-3DES-SHA

crypto map PUBLIC_B_map interface PUBLIC_B

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1

If I take this exact same config and change it to use PUBLIC (our main connection) instead of PUBLIC_B,remove the route PUBLIC_B statement, and change the field office to point to PUBLIC's ip address, then everything works, so my access-list and crypto map statements should be correct.

What I don't understand is why the main office ASA doesn't seem to recognize interesting traffic for the tunnel when the tunnel is destined out the second ISP connection, but does work when it is destined out the main ISP.  There is no connectivity issue with ISP B - as mentioned before, the tunnel will come up and negotiate correctly when traffic is initiated from the field office, but the main office traffic is never sent back down the tunnel - it is as if the ASA doesn't think the traffic from 192.168.0.x to 192.168.3.x should go over the VPN.

Any ideas?

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I would guess that your problem is that there is no route for the actual remote network behind the L2L VPN connection through ISP B

You could try adding adding the following configuration

crypto map PUBLIC_B_map 10 set reverse-route

This should automatically add a Static Route for all the remote networks configured in the Crypto ACL through the ISP B link/interface.

If this doesnt work you could try adding a static route manually for the ISP B link/interface for all the remote networks of the L2L VPN in question and then try again.

The route for the remote VPN peer through the ISP B is not enough to my understanding.

Let me know if this works for you.

Hope it helps

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I would guess that your problem is that there is no route for the actual remote network behind the L2L VPN connection through ISP B

You could try adding adding the following configuration

crypto map PUBLIC_B_map 10 set reverse-route

This should automatically add a Static Route for all the remote networks configured in the Crypto ACL through the ISP B link/interface.

If this doesnt work you could try adding a static route manually for the ISP B link/interface for all the remote networks of the L2L VPN in question and then try again.

The route for the remote VPN peer through the ISP B is not enough to my understanding.

Let me know if this works for you.

Hope it helps

- Jouni

The reverse-route did it.  (I knew I was probably missing something small, but just couldn't figure out what) Thanks!!