12-04-2015 12:12 PM
I can't find any reference to this anywhere else.
We have an ASA 5520 at our HQ site (INSIDE network) with multiple regional subnets on the DMZ interface.
We need Site-to-Site VPN connectivity between the INSIDE and a remote OUTSIDE site, as well as between the DMZ subnets and that same OUTSIDE site. The OUTSIDE interface of the ASA has to be the local VPN endpoint for all tunnels.
I have created a S2S VPN between the INSIDE and the OUTSIDE site and it works fine.
When I create a S2S VPN tunnel between a DMZ site and the same OUTSIDE site (using the same local and remote endpoints, but with a different cryptomap because the local subnet (DMZ) is different than the other INSIDE subnet, the traffic gets mapped (show crypto isakmp sa) to the same cryptomap that was created for the INSIDE to OUTSIDE tunnel, instead of to the new cryptomap, so the remote endpoint drops the traffic, and also causes invalid SPI's for the remote endpoint, which causes the original INSIDE to OUTSIDE VPN tunnel to drop occasionally.
Is this a bug?
I have also made a test S2S VPN tunnel configuring the local networks as everything INSIDE and DMZ. Using the S2S VPN wizard results in ASA only creating a NAT exempt rule for the subnet on the INSIDE interface. Can I manually create another NAT exempt rule for the DMZ side, and use this one S2S tunnel to connect the INSIDE and DMZ sites to the remote OUTSIDE site in one connection profile?
Am I building a Rube Goldberg?
Thanks,
George
Solved! Go to Solution.
12-04-2015 04:36 PM
Hi George,
It looks like you have an overlapping situation there, are you sure the subnets on the inside did not overlap with the DMZ networks ? A packet-tracer might clarify wha the ASA is actually sending.
Also , you can merge both interfaces on the same crypto map if you wish, only make sure the NAT are configured properly. Eg; NAT ( any, outside) source static ....
Hope it helps
-Randy-
12-04-2015 04:36 PM
Hi George,
It looks like you have an overlapping situation there, are you sure the subnets on the inside did not overlap with the DMZ networks ? A packet-tracer might clarify wha the ASA is actually sending.
Also , you can merge both interfaces on the same crypto map if you wish, only make sure the NAT are configured properly. Eg; NAT ( any, outside) source static ....
Hope it helps
-Randy-
06-02-2016 07:20 AM
This solved my problem: "you can merge both interfaces on the same crypto map if you wish, only make sure the NAT are configured properly."
Apparently the ASA cannot properly determine which route-map to use when you have two internal networks (off different ASA interfaces) connected via S2S VPN tunnels to one external site, with both using the external interface of the ASA and the same remote endpoint as tunnel endpoints.
I merged the acl's on both ends, and now the traffic is flowing correctly.
I'm sorry I didn't respond to this message sooner, but I forgot I had posted it because we finally got our Cisco maintenance updated so I opened a ticket and they explained that its not something we "could" do, but instead that we "needed" to do.
I should have listened to you, Randy. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide