Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3460
Views
0
Helpful
6
Replies

multiple L2L ipsec VPN to the same destination (ip adress)

Go to solution
power.srvi
Level 1
Level 1

‎01-24-2012 09:10 AM - edited ‎02-21-2020 05:50 PM

hi all,

im lookin to establish a a multiple L2L ips  tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination.

should the cisco asa capable of this ?

how can i do it ?

regards

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ajay chauhan
Level 7
Level 7

‎01-24-2012 09:19 AM

You can do it if you mean to say -

Lets say site A- has got 3 subnet and Site B has got one.

In this case what you need to do is to add ACL for crypto.

Thanks

Ajay

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to power.srvi

‎01-24-2012 11:28 AM

Yes.

Note - it needs to be added at both the local and remote firewall. If not, they will not form a Phase 2 SA for that local/remote pair of networks.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ajay chauhan
Level 7
Level 7

‎01-24-2012 09:19 AM

You can do it if you mean to say -

Lets say site A- has got 3 subnet and Site B has got one.

In this case what you need to do is to add ACL for crypto.

Thanks

Ajay

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-24-2012 10:15 AM

Adding to what Ajay said, your VPN is between your ASA and the distant end's firewall. Within that VPN there can be multiple IPSec Phase 2 security associations which are formed based on interesting traffic coming to the ASA and matching the cryptomap (access list for crypto).

You may want to have a look at the Wizard in ASDM if you are new to ASAs. (Wizards, VPN, Site-to-site VPN Wizard).

Once you have a working site-site IPSEC VPN, you can see the individual network pairs with the command:

     show vpn-sessiondb detail l2l

Hope this helps.

0 Helpful

Go to solution
power.srvi
Level 1
Level 1
In response to Marvin Rhoads

‎01-24-2012 11:19 AM

so it mean that i have only to add the subnet within  the acess list matched on the crypto map ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to power.srvi

‎01-24-2012 11:28 AM

Yes.

Note - it needs to be added at both the local and remote firewall. If not, they will not form a Phase 2 SA for that local/remote pair of networks.

0 Helpful

Go to solution
power.srvi
Level 1
Level 1
In response to Marvin Rhoads

‎01-24-2012 11:47 AM

note: the local firewall is not a cisco

so iv add it on my asa, i restart all the tunnels and i start continious ping from a machine on the added network

at the same time i set the : debug icmp trace ---> i see no packets from the local machine to the added network

i use show crypto ipsec sa details--> the tunnel is up but the network that i added on the is not showed, only the first network is present

0 Helpful

Go to solution
power.srvi
Level 1
Level 1
In response to power.srvi

‎01-25-2012 04:12 AM

hi all,

i would to thank Mr RHOADS and Mr ajay chauhan for their precious help.

it works, the problem was ont the rmote netgear vpn policy's order ( phase 2)

that's what i did

I desable the vpn on the remote box then i create a phase 2 including the new subnet

then i check my acess list on my asa  and to bioth von that i want to transport on the vpn is present

finaly i enable again the vpn on the remote box ( netgear FVS318)

the tunnel is up again and when i make a show crypto ipsec sa detail: i can see 2 crypto map tag matched to the same sequence number and each one is matching to a declared trafic.

thx

0 Helpful
Customers Also Viewed These Support Documents