07-20-2008 05:30 PM - edited 02-21-2020 03:50 PM
I have a site that is currently using a L2L VPN tunnel to access our main site.
The remote site is an ASA 5505. The remote site has a PTP T1 to a 2nd site that we need to monitor. So the remote site actually has 3 subnets that need to be routed across the VPN:
Remote site main: 10.200.54.0 /24
Remote site T1 PTP Subnet: 10.200.254.0 /40
Remote site Other site: 10.200.55.0 /24
The ASA 5505 at the remote site is configured as such:
access-list 101 extended permit ip 10.200.54.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.200.55.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.200.254.0 255.255.255.252 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.200.54.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.200.55.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.200.254.0 255.255.255.252 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat
crypto ipsec transform-set tangoset esp-3des esp-md5-hmac
crypto map tangomap 10 match address 101
crypto map tangomap 10 set peer *
crypto map tangomap 10 set transform-set tangoset
crypto map tangomap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
My MAIN / CENTRAL site concentrator is an ASA5520 with 7.2(4) with a dynamic map with numerous EasyVPN / L2L VPNs terminating on it.
crypto ipsec transform-set mySET esp-3des esp-md5-hmac
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set reverse-route
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65530
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
We poll from our datacenter network (10.1.1.0/24) to the 10.200.254.1 IP every 60 seconds just to monitor UP/DOWN status of the T1. Our monitoring software stops monitoring from Midnight to 5:30 am, so we dont get alerts etc. I have the problem of the SA not being established when monitoring resumes due to the timeout. Because of the central site using an dynamic map, I can't reestablish the SA. I have to telnet to the T1 router and ping the monitoring server with a source of the 10.200.254.1 interface to restablish then all is well.
Is there any other way to keep the SA active? I know with EasyVPN I can use the nem-st-autoconnect option to keep all the SAs up, Is this an option for ann L2L tunnel?
I would prefer to have the site use EasyVPN but is it possible to route the 3 necessary networks across the EasyVPN connection? How would that config look? Thanks in advance.
07-20-2008 06:18 PM
No worries, I just created a static VPN. This shouldnt be an issue anymore.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide