Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
4
Replies

asa ipsec to different peers with similar acls

dfbnws
Level 1
Level 1

‎05-15-2018 01:13 PM - edited ‎03-12-2019 05:17 AM

hi experts

i have a working ipsec tunnel with peer1 matching local and remote subnets in crypto acl

 

access-list abc extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

crypto map first 3 match address abc
crypto map first 3 set peer 100.1.1.1
crypto map first 3 set ikev1 transform-set temp1

tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 ipsec-attributes
 pre-shared-key password

 

i want to setup another tunnel with different peer but a single ip in crypto acl source and destination, but it will be a part of existing crypto acl subnet... will it work?

 

access-list def extended permit ip 10.1.1.10 255.255.255.255 10.2.2.10 255.255.255.255

crypto map second 10 match address def
crypto map second 10 set peer 200.1.1.1
crypto map second 10 set ikev1 transform-set temp1

tunnel-group 200.1.1.1 type ipsec-l2l
tunnel-group 200.1.1.1 ipsec-attributes
 pre-shared-key password

 

both tunnels are routed via default gateway to same outside interface

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎05-15-2018 01:21 PM

Hi,
I've not tried it myself, but I'd imagine that no it won't work.

If 10.2.2.10/32 never needs to go via the first tunnel, you could modify the ACL abc to NOT include 10.2.2.10/32, by breaking down the 10.2.2.0/24 subnet into smaller subnets, then there shouldn't be an issue.

HTH
0 Helpful

dfbnws
Level 1
Level 1
In response to Rob Ingram

‎05-15-2018 01:25 PM

thanks

touching the working tunnel is out of question as its serving production

i am setting up the second one to test vpn connectivity with new remote firewall

guess i will have to do with completely new ips for second tunnel, out of the existing subnets...

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎05-16-2018 10:51 AM

You should be able to create new and more specific ACL's to a higher  sequence number. So something like this:

 

access-list abc extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

crypto map first 3 match address abc
crypto map first 3 set peer 100.1.1.1
crypto map first 3 set ikev1 transform-set temp1

 

tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 ipsec-attributes
pre-shared-key password

 

access-list def extended permit ip 10.1.1.10 255.255.255.255 10.2.2.10 255.255.255.255

crypto map first 2 match address def
crypto map first 2 set peer 200.1.1.1
crypto map first 2 set ikev1 transform-set temp1

 

tunnel-group 200.1.1.1 type ipsec-l2l
tunnel-group 200.1.1.1 ipsec-attributes
 pre-shared-key password

 

Note that traffic between 10.1.1.10 and 10.2.2.10 would never go through the old tunnel. So if you have the same ip addresses across both tunnels, this wont work. 

0 Helpful

dfbnws
Level 1
Level 1
In response to Rahul Govindan

‎05-16-2018 01:33 PM - edited ‎05-16-2018 01:33 PM

makes sense

acl sequence number should allow the specific acl to take care of /32 while /24 is handled by the next line

thanks

0 Helpful
Customers Also Viewed These Support Documents