11-11-2017 06:26 AM - edited 03-12-2019 04:43 AM
I have a site to site vpn configured between a ASA 5516-x and a Cisco 819 router and I am having issues tunneling multiple networks. When I attempt to do this it only establishes the network on the first access list line on the router. I am using object groups on the ASA and regular host statements on the router since object groups are not permitted on crypto maps on the router. Here is an example:
Router
crypto map test 10 ipsec-isakmp
match address 110
access-list 110 permit ip 192.168.1.0 0.0.0.255 host 10.40.0.5
access-list 110 permit ip 192.168.1.0 0.0.0.255 host 10.41.0.5
When I use this I can only access the ip on the first line (10.40.0.5) and not the second one. Am I missing something? The ASA has this:
crypto map outside_map 1 match address outside_cryptomap
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_ 2 object Remote_Network
object-group network DM_INLINE_NETWORK_2
network-object object Test1
network-object object Test2
object network Test1
host 10.41.0.5
object network Test2
host 10.40.0.5
11-11-2017 06:58 AM
Maybe I need multiple tunnels to accomplish this?
11-11-2017 08:15 AM
You do not need 2 tunnels for this. Crypto-acl look ok from the config you posted.
Why do you think that multiple entries in the crypto-acl are causing the problem?
Did you try removing the first line of the crypto-acl on both ends are verify if 10.41.0.5 is the reachable?
Following commands would be helpful to see:
ASA:
packet-tracer input <interface> icmp 10.41.0.5 8 0 192.168.1.1
packet-tracer input <interface> icmp 10.40.0.5 8 0 192.168.1.1
ASA and router:
show crypto ipsec sa
11-11-2017 09:52 AM
I agree that the partial configs posted so far seem reasonable and do not see obvious issues in them. It would be helpful to know more about the ASA, especially which interfaces connect to the specified hosts and what are the nat configured for each host?
HTH
Rick
11-11-2017 04:03 PM
11-11-2017 06:49 PM
I have this working now but I'm not sure what fixed it. I moved to extended acl's so that I could easily add and remove the subnets. After this I had to reboot the 819 router and both subnets started tunneling. I tried the clear crypto map sa and then started pings to the remote network without any luck on bringing the tunnel up. After I rebooted the 819 it came up. I'm going to try the standard acl's again and see if I can get both networks up. Maybe I missed something.
11-12-2017 02:21 PM
I am glad to know that you got it working. Sometime (especially if we have been making changes, putting something in , then taking it out, moving on to another change) things seem to get out of sync and the observed behavior does not match what is in the config. In those instances sometimes a reboot will clear things up and things start to work. Perhaps this is one of those times.
I am puzzled where you think you might use standard ACL. I do not think that I have ever seen a working config for crypto processing that used standard ACL.
HTH
Rick
11-12-2017 04:27 PM
Hi Rick,
I meant to say just a numbered extended access list vs an ip access list. I used an ip access list when I reconfigured everything. I agree with you and I think after the reboot everything got mapped correct. I still will try the numbered ACL and see if I can duplicate the issue.
11-13-2017 06:28 AM
Thanks for the clarification about access list. A numbered extended access list or a named extended access list should each work ok for a crypto configuration. I encourage you to try both. But I doubt that it will recreate the problem.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide