07-02-2012 06:34 AM
Hi
I use a cisco asa 5520 to terminate multiple site to site VPNs. Due to the configuration of a parteners network, i have had to install 2 routers into this parteners network, i have been supplied static private IP addresses for each router each router has a unidue LAN subnet which is the VPN's protected network.
The partener use's PAT with only one public facing IP address.
The VPNs are initiated from the parteners network using an IP sla ping.
Upon installing my first VPN router in the partenrs network, once NAT-T was enabled on the local ASA the VPN started working fine. After installing the second VPN router i tried installing the new config on to the ASA but via CSM, the ASA complains that it can not have 2 VPN's with the same peer address configured.
Are there any suggestions as to how i can get this working?
Thanks,
Simon
07-02-2012 06:41 AM
Yes, you can't configure 2 VPN tunnel to the same peer address.
You would need to PAT the second router to a different public IP.
07-02-2012 09:22 AM
Jenifer, i understand how this concept will not work, but i question the reasoning, each vpn is associated with a different port number, i can see the packets from both vpn routers entering my local network, so surely the port numbers are sufficient to identifiy the 2 different sources of data.
Further to this i tried to configure a dynamic VPN instance on my ASA using the peer address of 0.0.0.0 try as i might i could not get this to work alongside the multiple site to site vpns with defined peers.
Any further advice would be appreciated.
Thanks,
Simon
07-02-2012 10:56 AM
VPN Peer on the ASA does not understand port number. All it knows is just an IP Address, and the ASA won't even take the command if you have the same peer address. It won't be able to build an SA with the same peer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide