cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
800
Views
0
Helpful
8
Replies

Multiple networks across VPN

Phil Bradley
Level 4
Level 4

I have a site to site vpn configured between a ASA 5516-x and a Cisco 819 router and I am having issues tunneling multiple networks. When I attempt to do this it only establishes the network on the first access list line on the router. I am using object groups on the ASA and regular host statements on the router since object groups are not permitted on crypto maps on the router. Here is an example:

 

Router

crypto map test 10 ipsec-isakmp

match address 110

 

access-list 110 permit ip 192.168.1.0 0.0.0.255 host 10.40.0.5

access-list 110 permit ip 192.168.1.0 0.0.0.255 host 10.41.0.5

 

When I use this I can only access the ip on the first line (10.40.0.5) and not the second one. Am I missing something? The ASA has this:

 

crypto map outside_map 1 match address outside_cryptomap

 

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_ 2 object Remote_Network

 

object-group network DM_INLINE_NETWORK_2
network-object object Test1
network-object object Test2

 

object network Test1
host 10.41.0.5
object network Test2
host 10.40.0.5

8 Replies 8

Phil Bradley
Level 4
Level 4

Maybe I need multiple tunnels to accomplish this?

You do not need 2 tunnels for this. Crypto-acl look ok from the config you posted.

Why do you think that multiple entries in the crypto-acl are causing the problem?

Did you try removing the first line of the crypto-acl on both ends are verify if 10.41.0.5 is the reachable?

 

Following commands would be helpful to see:

ASA:

packet-tracer input <interface> icmp 10.41.0.5 8 0 192.168.1.1

packet-tracer input <interface> icmp 10.40.0.5 8 0 192.168.1.1

ASA and router:

show crypto ipsec sa

I agree that the partial configs posted so far seem reasonable and do not see obvious issues in them. It would be helpful to know more about the ASA, especially which interfaces connect to the specified hosts and what are the nat configured for each host?

 

HTH

 

Rick

HTH

Rick

 

I have this working now but I'm not sure what fixed it. I moved to extended acl's so that I could easily add and remove the subnets. After this I had to reboot the 819 router and both subnets started tunneling. I tried the clear crypto map sa and then started pings to the remote network without any luck on bringing the tunnel up. After I rebooted the 819 it came up. I'm going to try the standard acl's again and see if I can get both networks up. Maybe I missed something.

I am glad to know that you got it working. Sometime (especially if we have been making changes, putting something in , then taking it out, moving on to another change) things seem to get out of sync and the observed behavior does not match what is in the config. In those instances sometimes a reboot will clear things up and things start to work. Perhaps this is one of those times.

 

I am puzzled where you think you might use standard ACL. I do not think that I have ever seen a working config for crypto processing that used standard ACL.

 

HTH

 

Rick

HTH

Rick

Hi Rick,

I meant to say just a numbered extended access list vs an ip access list. I used an ip access list when I reconfigured everything. I agree with you and I think after the reboot everything got mapped correct. I still will try the numbered ACL and see if I can duplicate the issue.

Thanks for the clarification about access list. A numbered extended access list or a named extended access list should each work ok for a crypto configuration. I encourage you to try both. But I doubt that it will recreate the problem.

 

HTH

 

Rick

HTH

Rick