Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
0
Helpful
3
Replies

ASA requires to accept 2 VPN's from different devices behind the same public IP

9dtinkler
Level 1
Level 1

‎07-02-2012 06:34 AM

Hi

I use a cisco asa 5520 to terminate multiple site to site VPNs. Due to the configuration of a parteners network, i have had to install 2 routers into this parteners network, i have been supplied static private IP addresses for each router each router has a unidue LAN subnet which is the VPN's protected network.

The partener use's PAT with only one public facing IP address.

The VPNs are initiated from the parteners network using an IP sla ping.

Upon installing my first VPN router in the partenrs network, once NAT-T was enabled on the local ASA the VPN started working fine. After installing the second VPN router i tried installing the new config on to the ASA but via CSM, the ASA complains that it can not have 2 VPN's with the same peer address configured.

Are there any suggestions as to how i can get this working?

Thanks,

Simon        

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-02-2012 06:41 AM

Yes, you can't configure 2 VPN tunnel to the same peer address.

You would need to PAT the second router to a different public IP.

0 Helpful

9dtinkler
Level 1
Level 1
In response to Jennifer Halim

‎07-02-2012 09:22 AM

Jenifer, i understand how this concept will not work, but i question the reasoning, each vpn is associated with a different port number, i can see the packets from both vpn routers entering my local network, so surely the port numbers are sufficient to identifiy the 2 different sources of data.

Further to this i tried to configure a dynamic VPN instance on my ASA using the peer address of 0.0.0.0 try as i might i could not get this to work alongside the multiple site to site vpns with defined peers.

Any further advice would be appreciated.

Thanks,

Simon

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to 9dtinkler

‎07-02-2012 10:56 AM

VPN Peer on the ASA does not understand port number. All it knows is just an IP Address, and the ASA won't even take the command if you have the same peer address. It won't be able to build an SA with the same peer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents