Solved: ASA IPSEC VPN with overlapping proxy-ids

gcamp@varrow.com · ‎08-22-2011

All,

Currently I have a VPN from a single ASA spoke network to a single ASA hub, so I have setup my access-lists so that the source is specific to the spoke (i.e. 192.168.1.0/24) and I am using the "any" keyword for destination. I need to add some more VPN connections, so can I just add the more specific networks below the Inside to any statement in the crypto map. See below.

access-list outside_10_cryptomap extended permit ip object-group Inside-Networks Other-Networks

access-list outside_20_cryptomap extended permit ip object-group Inside-Networks any

crypto map outside_map 10 match address outside_10_cryptomap

crypto map outside_map 10 set peer 1.1.1.1

crypto map outside_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 2.2.2.2

crypto map outside_map 20 set transform-set ESP-3DES-MD5

Jon Marshall · ‎08-22-2011

Gregory

Now i come to think of it, i do remember an issue with less specific entries in the acl before more specific entries.

So it should work but you need to make sure the more specific comes before the less specific which you seem to have done with your config.

Jon

View solution in original post

Jon Marshall · ‎08-22-2011

The crypto map acl entry is tied to the peer so it shouldn't matter unless i musunderstand your question.

Jon

gcamp@varrow.com · ‎08-22-2011

Sorry, not the most concise question. I just want to make sure traffic to Other-Networks would not be sent to 2.2.2.2 since it has a proxy-id that would technically match that traffic.

Jon Marshall · ‎08-22-2011

Gregory

Now i come to think of it, i do remember an issue with less specific entries in the acl before more specific entries.

So it should work but you need to make sure the more specific comes before the less specific which you seem to have done with your config.

Jon

gcamp@varrow.com · ‎08-22-2011

Thanks!