cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1899
Views
65
Helpful
14
Replies

Does the ASA Support Multiple IPSec VPNs to the Same IP

fntowo2009
Level 1
Level 1

Hello,

 

I just configured the commands below on an ASA5508 running 9.5 (1). The remote endpoint doesn't support multiple ACEs in the proxy ACL... 

 

Would that work?

 

Thanks,

Francois

 

access-list test-acl extended permit ip 10.0.0.0 255.255.255.0 any4 

access-list test-acl1 extended permit ip 172.31.0.0 255.255.255.0 any4 

 

crypto map CMAP 20 match address test-acl

crypto map CMAP 20 set peer a.b.c.d 

crypto map CMAP 20 set ikev2 ipsec-proposal test

crypto map CMAP 20 set security-association lifetime seconds 28800

 

crypto map CMAP 30 match address test-acl1

crypto map CMAP 30 set peer a.b.c.d

crypto map CMAP 30 set ikev2 ipsec-proposal test

crypto map CMAP 30 set security-association lifetime seconds 28800

4 Accepted Solutions

Accepted Solutions

@fntowo2009 yes a Juniper SRX would support multiple networks, example:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28197&actp=METADATA

 

If you upgraded to ASA 9.7 or higher you could also implement a route based VPN (VTI) which the SRX also supports.

View solution in original post

As Mr.Rob suggest VTI can solve issue, 
but can you try config PBR with the ACL LAN->0.0.0.0 use the next-hop VTI ip address.
this make ASA LAN->0.0.0.0 use VTI if the ASA support VTI as next-hop.

View solution in original post

fntowo2009
Level 1
Level 1

Hello,

Sorry for the delayed feedback! 

 

The work was halted for a while...

 

We implemented this solution as we ran into connectivity issues with one proxy-acl with two ACEs. The engineer managing the SRX created a ticket with JTAC and they recommended going this route.

 

 

View solution in original post

Thanks for the valuable input!

 

 

View solution in original post

14 Replies 14

....

It's a dynamic-to-static IPSec solution as the ASA is on the ship... The Cisco remote end is being replaced with a Juniper SRX4600 and the engineer managing it told me his configuration might not support multiple ACEs in the proxy-ACL...

@fntowo2009 If the source IP and destination is the same it would be hard to differentiate the connection.

What device  is the remote peer? I find it hard to believe they do not support multiple entries

 

 

Thanks for the prompt feedback Rob! 

 

The remote peer is a Juniper SRX4600 and is managed by a different team. We're trying to implement a dynamic-to-static IPSec VPN solution as the ASA is on a ship...

 

@fntowo2009 yes a Juniper SRX would support multiple networks, example:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28197&actp=METADATA

 

If you upgraded to ASA 9.7 or higher you could also implement a route based VPN (VTI) which the SRX also supports.

Thx!  There are other subnets behind the ASA and their traffic Traffic shouldn't be encrypted. A VTI will have a default route pointing to the tunnel... Correct?

@fntowo2009 no incorrect. You only have routes (static or dynamic) via the VTI, to be tunneled to your peer, encrypted.

So unencrypted traffic would still go out your default route.

Traffic from two subnets behind the ASA to ANY destinations needs to be encrypted... That's why I said the  default route will point to the tunnel. 

As Mr.Rob suggest VTI can solve issue, 
but can you try config PBR with the ACL LAN->0.0.0.0 use the next-hop VTI ip address.
this make ASA LAN->0.0.0.0 use VTI if the ASA support VTI as next-hop.

Thanks for the valuable input!

 

 

Thanks for the valuable input!

KB16008 - Function of a new feature "Multiple Proxy ID support on a Route-Based VPN" (Supported started with ScreenOS 6.3)

fntowo2009
Level 1
Level 1

Hello,

Sorry for the delayed feedback! 

 

The work was halted for a while...

 

We implemented this solution as we ran into connectivity issues with one proxy-acl with two ACEs. The engineer managing the SRX created a ticket with JTAC and they recommended going this route.