cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2284
Views
0
Helpful
3
Replies

Multiple site to site IPSec tunnels to one ASA5510

William Becker
Level 1
Level 1

Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Your source networks for a L2L VPN connection can be identical for every single L2L VPN you configure. Naturally the destination network cant have overlapping.

Also you can't configure 2 L2L VPN with the same remote VPN peer (But this WASN'Tthe case here obviously)

If you are using object-groups to define the source networks on your side and then using that object-group in the L2L VPN defining the Encryption Domain, I would suggest making each connection their own object-group. This just to avoid some missconfiguration that ends up affecting many things at the sametime (removing addresses/networks accidentaly from the object-group for example)

Easiest way to go about solving the connection problem would be to see the configuration and the VPN parameters you have decided between the remote peer.

Even though configuring a L2L VPN could be the simplest thing, it ends up being really problematic sometimes when admins arent sticking to what have been agreed on or have decided on a monstrous PSK using characters that are easily mistaken with some other character.

EDIT: Wrote originally "can" when I meant "can't"

- Jouni

Couple of things I would like to add, here is how the ASA 5510 in setup in our network:

1 interface 0/0 is going to the ISP which is an ethernet hand off to us

2 interface 0/1 is going to our LAN with the local IP address

3 interface 0/2 is open for future failover

4 interface 0/3 is going to another ISP which is also ethernet hand off.

On interface 0/0 we have outside IP address that point to various servers and is our remote user access and has the existing IPSec VPN Tunnel that is working fine. On interface 0/3 we have outside IP addresses as well and this is the interface that I want to create the new tunnel as well as route internet traffic across because it has the highest bandwidth and I don't want ti to interfer with the remote user and slow their connections down.

From what I am looking at it should work just fine or should I have a router infront of the ISP interfaces??

Hi,

Regarding setting up the new L2L VPN connection..

Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.

I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.

If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.

Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.

- Jouni