cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8304
Views
0
Helpful
13
Replies

Cisco ASA cannot create multiple tunnels to the same peer address?

dkraut
Level 1
Level 1

We have several remote sites with Linksys WRVS4400N and Smoothwall firewall/vpn devices.  I need these sites to be able to connect to multiple dis-contiguous subnets at our main office.  This was easily done with smoothwall and linksys.  You create a separate tunnel for each subnet and voila, you're done.  However, when I tried this with our newly installed ASA, it will not let me create multiple tunnels to the same remote peer address.  This is a problem since these sites only have a single static public IP address.  Am i missing something or does the ASA not allow connections to/from multiple subnets form a site with a single peer address? 

1 Accepted Solution

Accepted Solutions

Looks like limitation on the WRVS4400N as Cisco ASA supports multiple subnets per tunnel.

Is there anyway you can configure a larger subnet instead of specific subnets on the ACL?

Eg:

if you have 192.168.0.0/24 and 192.168.1.0/24, instead of having 2 subnets configured, you can combine them into 1 subnet 192.168.0.0/23

View solution in original post

13 Replies 13

Jennifer Halim
Cisco Employee
Cisco Employee

You can only have 1 same peer on the ASA, but what you would need to configure is multiple lines of crypto ACL to include the remote LAN that you would want to encrypt. You will also need to have the same mirror image ACL on the remote devices.

Thanks Jennifer, so what I think you're telling me is that unless I have another ASA at the remote site, I'm out of luck?  The other devices only allow a single IP address or single subnet per tunnel.  Surprised that something like this cannot be done between a Cisco ASA and Cisco WRVS4400N > http://www.cisco.com/en/US/products/ps9931/index.html

Looks like limitation on the WRVS4400N as Cisco ASA supports multiple subnets per tunnel.

Is there anyway you can configure a larger subnet instead of specific subnets on the ACL?

Eg:

if you have 192.168.0.0/24 and 192.168.1.0/24, instead of having 2 subnets configured, you can combine them into 1 subnet 192.168.0.0/23

ah if life would be so simple.   

Nope, my predecessor decided it would make better sense to use completely discontiguous subnets at each site.  For example, I need remote users to be able to connect to 10.10.96.0/24, 10.1.0.0/24 and 10.10.11.0/24 at the main office.  I know, I can hear you laughing from here...  

Not too bad.. what is the remote subnet?

remote subnet = 10.10.14.0/24

OK, change the crypto ACl on the ASA to:

access-list permit ip 10.0.0.0 255.240.0.0 10.10.14.0 255.255.255.0

On the WRVS4400N end, change the remote subnet to 10.0.0.0/255.240.0.0

WRV does not seem to like that... I get an error, "Remote Security Group and Local Security Group cannot be in the same network"

OK, maybe you can do static NAT on the ASA end as follows:

10.10.96.0/24 --> NAT to 192.168.96.0/24

10.1.0.0/24  --> NAT to 192.168.1.0/24

10.10.11.0/24 --> NAT to 192.168.11.0/24

Then crypto ACL say:

access-list permit ip 192.168.0.0 255.255.0.0 10.10.14.0 255.255.255.0

On WRV, remote security group: 192.168.0.0/16

BUT, to access the main office subnets, you would need to use the corresponding NATed subnet, ie: 192.168.x.x

Really appreciate all the help Jennifer, but I think the NAT option would just cause more problems since one of the subnets is for voip and the phones would probably freak out with a different IP scheme.  We'd also need to edit hosts files, etc. for resources at the main office since DNS could not be changed.  Since our company moves a lot of Cisco gear, I'm checking to see if we can get a couple of ASA's to replace the WRV's. 

Out of curiosity,  I'm not 100% clear on how I would create the NAT rules you mention.  Which direction would they be setup on the ASA (v8.4)?  (inside, outside)?  Would the NAT'd address only apply to VPN traffic to/from 10.10.14.0?  There are other sites up where I would not want them NAT'd.  Not a big deal, just curious in case I need to do this in the future.

Thanks again!!   

As long as you have the inspection engine enabled on the ASA, it shouldn't freak out of the different IP as it will inspect the call signalling and will NAT it accordingly, BUT, for simplicity, I agree with you, it would cause a lot of troubleshooting headache if there is problem as well as reconfiguration of IP on the host ends.

Here is the NAT FYI:

object network obj-10.10.96.0

   subnet 10.10.96.0 255.255.255.0

object network obj-192.168.96.0

   subnet 192.168.96.0 255.255.255.0

object network obj-10.10.14.0

   subnet 10.10.14.0 255.255.255.0

object network obj-10.1.0.0

   subnet 10.1.0.0 255.255.255.0

object network obj-192.168.1.0

   subnet 192.168.1.0 255.255.255.0

object network obj-10.10.11.0

   subnet 10.10.11.0 255.255.255.0

object network obj-192.168.11.0

   subnet 192.168.11.0 255.255.255.0

nat (inside,outside) source static obj-10.10.96.0 obj-192.168.96.0 destination static obj-10.10.14.0 obj-10.10.14.0

nat (inside,outside) source static obj-10.1.0.0 obj-192.168.1.0 destination static obj-10.10.14.0 obj-10.10.14.0

nat (inside,outside) source static obj-10.10.11.0 obj-192.168.11.0 destination static obj-10.10.14.0 obj-10.10.14.0

Picked up an ASA 5505 for the remote side and all is well. 

Perfecto.. thanks for the update.