Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
2
Replies

ASA 5520 (DMZ + INSIDE) VPN tunnel to OUTSIDE destination

George Sypsomos
Level 1
Level 1

‎12-04-2015 12:12 PM

I can't find any reference to this anywhere else.

We have an ASA 5520 at our HQ site (INSIDE network) with multiple regional subnets on the DMZ interface.

We need Site-to-Site VPN connectivity between the INSIDE and a remote OUTSIDE site, as well as between the DMZ subnets and that same OUTSIDE site. The OUTSIDE interface of the ASA has to be the local VPN endpoint for all tunnels.

I have created a S2S VPN between the INSIDE and the OUTSIDE site and it works fine.

When I create a S2S VPN tunnel between a DMZ site and the same OUTSIDE site (using the same local and remote endpoints, but with a different cryptomap because the local subnet (DMZ) is different than the other INSIDE subnet, the traffic gets mapped (show crypto isakmp sa) to the same cryptomap that was created for the INSIDE to OUTSIDE tunnel, instead of to the new cryptomap, so the remote endpoint drops the traffic, and also causes invalid SPI's for the remote endpoint, which causes the original INSIDE to OUTSIDE VPN tunnel to drop occasionally.

Is this a bug?

I have also made a test S2S VPN tunnel configuring the local networks as everything INSIDE and DMZ. Using the S2S VPN wizard results in ASA only creating a NAT exempt rule for the subnet on the INSIDE interface. Can I manually create another NAT exempt rule for the DMZ side, and use this one S2S tunnel to connect the INSIDE and DMZ sites to the remote OUTSIDE site in one connection profile?

Am I building a Rube Goldberg?

Thanks,

George

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎12-04-2015 12:39 PM

Hi George,

If you are using the same remote site peer, you would only need one crypto map instance with 2 traffic selections - one from Inside to Outside and other from DMZ to Outside. something like this:

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside

where,

access-list outside_cryptomap line 1 extended permit ip object Inside_subnet object Remote_subnet

access-list outside_cryptomap line 2 extended permit ip object DMZ_subnet object Remote_subnet

0 Helpful

George Sypsomos
Level 1
Level 1
In response to Rahul Govindan

‎12-04-2015 12:43 PM

Thanks Rahul.

I'll give it a shot during our next outage window, making sure to create NAT exempt rules for INSIDE and DMZ going to the remote destination.

I'll report back if the ASA is able to properly assign the same SPI to traffic from two different source interfaces.

George

0 Helpful
Customers Also Viewed These Support Documents